===================================================================== CERT-Renater Note d'Information No. 2013/VULN008 _____________________________________________________________________ DATE : 09/01/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Windows version Vista, 7, 8, Server 2008, Server 2012, RT running Microsoft Windows SSL and TLS implementation. ====================================================================== KB2785220 http://technet.microsoft.com/en-us/security/bulletin/ms13-006 ______________________________________________________________________ Microsoft Security Bulletin MS13-006 - Important Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) Published Date: January 8, 2013 Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker intercepts encrypted web traffic handshakes. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT. The security update addresses the vulnerability by modifying the way that the Windows SSL provider component handles encrypted network packets. Affected Software Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows Server 2012 Windows RT Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Vulnerability Information Microsoft SSL Version 3 and TLS Protocol Security Feature Bypass Vulnerability - - CVE-2013-0013 A security feature bypass vulnerability exists in the way that the Microsoft Windows SSL/TLS (Secure Socket Layer and Transport Layer Security) handle the SSL version 3 (SSLv3) and TLS protocols. The vulnerability could allow security feature bypass if an attacker injects specially crafted content into an SSL/TLS session. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================