Researchers Develop New Attack on SSL

Researchers have developed a new attack on SSL 3.0 that enables them to decrypt client requests on the wire and hijack confidential sessions on https sites. The attack breaks the confidentiality model of the protocol and is the first known exploitation of a flaw in SSL. It has the potential to impact the security of transactions on millions of sites. It could also potentially impact SSL VPN and instant messaging clients.

The attack involves the use of a tool that enables attacker to catch and decrypt HTTPS cookies from active user sessions. The tool can be loaded into a user’s browser through the use of an iframe ad or loading JavaScript into the browser. Once the tool is activated it runs its own sniffer that looks for active TLS connections and then grabs and decrypts the HTTPS cookie, enabling the attacker to hijack the victim’s session with that site.

The researchers have been in touch with the major browser vendors to work with them on patching any perceived vulnerabilities. Microsoft has released Security Advisory 2588513 along with several fixit tools. At date of release there were no reports of exploitation in the wild. The vulnerability requires a number of factors work in favour of the would-be attacker to be successful and hence customers are at minimal risk.

More Info on Technet and The Register.

http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx