Working exploits have been released for a Windows SSL vulnerability which leaves servers open to a denial of service (DoS). Code for the exploit, known as SSL Bomb, was released last Wednesday, just a day after the vulnerability was described in Microsoft's recent security updates. Malformed SSL packets can force Windows 2000 and Windows XP machines to stop accepting SSL connections, and cause Windows Server 2003 to reboot.
Although this flaw is only a DoS weakness, servers with this bug will also be at risk of the other vulnerabilities addressed in the same update. Several of these vulnerabilities can be used to compromise servers, and "exploits with remote code execution may be expected soon," according to the SANS Institute, which is publishing detection signatures for the evolving exploit code. Microsoft says the vulnerability exists on any unpatched system that uses SSL, including Internet Information Server (versions 4.0, 5.0 and 5.1), Exchange Server (5.5, 2000 and 2003) and SQL Server 2000.
The "SSL Vulnerability" in critical security bulletin MS04-011 is different from the "PCT Vulnerability" in the same update, which allows a remote attacker to compromise unpatched systems running SSL. The MS04-011 critical update addresses 14 separate security issues, prompting criticism that the bundling of major fixes amounts to an effort by Microsoft to stage-manage security updates.
"I view the consolidation tactic as part of what I call Microsoft's 'security by PR,' meaning public relations, strategy," writes Jupiter Research analyst Joe Wilcox. "Certainly, Microsoft should be commended for warning customers of vulnerabilities and issuing the appropriate patches. But, I don't think customers' best interests, or even Microsoft's, are served by apparently diminishing the overall security problem."