Secunia Security Advisory - A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to bypass certain security mechanisms.
5a889d0779c504dd4e766192dd2bb2a0b5c8db80d40a701f7041ec1d3dde5529
----------------------------------------------------------------------
Did you know? Our assessment and impact rating along with detailed
information such as exploit code availability, or if an updated patch
is released by the vendor, is not part of this mailing-list?
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Microsoft Windows SChannel Authentication Bypass
SECUNIA ADVISORY ID:
SA34215
VERIFY ADVISORY:
http://secunia.com/advisories/34215/
DESCRIPTION:
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to bypass certain security mechanisms.
The vulnerability is caused due to insufficient validation of certain
TLS (Transport Layer Security) handshake messages by the SChannel
(Secure Channel) authentication component during certificate-based
authentication. This can be exploited to bypass authentication using
the public component of a users authentication credential.
SOLUTION:
Apply patches.
Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=bf7065bc-c183-4a78-8d46-72fe7385c07c
Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3
Windows XP SP3:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3
Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?familyid=6d02306e-9e2e-4ae8-bd21-8a2c1a229472
Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=0b3f6fdd-276e-4267-99d8-8f00d91ad6a2
Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?familyid=ce98ff55-f565-469d-bbd2-32b681faf908
Windows Server 2003 with SP1/SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5ca3c72c-cadb-4b0a-b3a3-fb81d0bfd7b3
Windows Vista (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?familyid=21086a04-402a-4940-8358-7fa63508102b
Windows Vista x64 Edition (optionally with SP1):
http://www.microsoft.com/downloads/details.aspx?familyid=c75a2ea9-b42f-457b-be09-5c8fa0339388
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=47b361ce-624b-466c-b5c5-8703f6532615
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5c81ac45-60e6-4121-ab6b-d3b3179aacc4
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=bf8f5a86-1757-4f9b-b632-d4aa7005a9f8
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
* Secretaria da Fazenda do Estado do Rio Grande do Sul
* Cia de Processamento de Dados do Estado do Rio Grande do Sul
ORIGINAL ADVISORY:
MS09-007 (KB960225):
http://www.microsoft.com/technet/security/Bulletin/MS09-007.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------