Microsoft SSL Vulnerability gives attackers opportunity to gain control of leading banking sites

Microsoft has issued a fix for a security vulnerability that has exposed tens of thousands of sites offering encrypted transactions to potential compromise. The bug in Microsoft's Secure Sockets Layer (SSL) library allows remote attackers to gain control of unpatched Windows 2000 and Windows NT4 servers offering encrypted services over the internet.

The vulnerability was revealed Tuesday by Internet Security Systems, which warned that "hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL," which secures web sites for online banking, stock trading and retailing. Microsoft issued a critical security update Wednesday to address the vulnerability, which allows a buffer overflow in Private Communications Transport (PCT) packets. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in its advisory, adding that "only systems that have SSL enabled" are vulnerable. SSL is only commonly used protocol for encrypted transactions of financially important or confidential information on the Web.

More than 132,000 web-facing SSL servers are running either Windows 2000 or Windows NT4, according to our March Secure Server Survey, representing nearly 45 percent of all SSL servers. The PCT and SSL 2.0 protocols targeted by the exploit are enabled by default in Win2K and NT4.

PCT was an attempt by Microsoft to establish their own variant of the SSL protocol. Based on SSL version 2, it addressed some of the weaknesses in the earlier protocol, and has been supported since IIS version 4. The standard was not widely adopted outside of Microsoft's own products, and SSL version 3 became the general standard. Microsoft appear to have conceded defeat, and Windows Server 2003 has SSLv3 enabled and PCT disabled by default. The likely outcome of this latest vulnerability will be the abrupt death of PCT, as administrators disable it on all older servers.

SSL sites could be expected, in theory, to be more actively maintained and patched than other machines. However, our experience has been that SSL servers are often treated with a surprising lack of urgency by system administrators. Also, some vulnerability scanners and intrusion detection systems are not set up to monitor SSL sites, making them seem a lower priority for security patching.

Many sites performing critical financial transactions use either Win2K or NT4, including Official Payments, which handlines online tax payment for the Internal Revenue Service and is likely processing a surge of last-minute e-filings ahead of tomorrow's U.S. income tax filing deadline. Auction site eBay, a favorite target of Internet scams, runs its CGI servers on Windows NT4 and its payments.ebay.com servers on Windows 2000. Many other leading retailers and financial institutions host financially significant web sites on Microsoft-IIS systems including Dell Computers, Bank One, Merrill Lynch and Prudential.

Sans noted a sharp spike in remote scans of port 443, on Friday, suggesting that some attackers were familiar with the problem ahead of the announcements from ISS and Microsoft, and were actively trying to make best use of their window of opportunity before Microsoft made patches available.