Microsoft Security Advisory 2977292

Update for Microsoft EAP Implementation that Enables the Use of TLS

Published: October 14, 2014

Version: 1.0

General Information

Executive Summary

Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry. For more information, see Microsoft Knowledge Base Article 2977292.

Recommendation. Microsoft recommends that customers test any new settings for enabling TLS 1.1 or 1.2 prior to implementation in their environments. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Microsoft Knowledge Base Article 2977292 

Affected Software

This advisory discusses the following software.

Affected Software

Operating System
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

Advisory FAQ

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that an update is available for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2.

What is EAP? 
Extensible Authentication Protocol (EAP) is an authentication framework included in Windows client and Windows server operating systems. EAP in Windows includes many authentication protocols for network access authentication when you deploy dial-up, virtual private network (VPN), 802.1X wireless, and 802.1X wired technologies using Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.

What is TLS? 
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

What might an attacker use the vulnerability to do? 
Use of lower versions of TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.

What is a man-in-the-middle attack? 
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's system without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

What does the update do? 
The update enables the support of TLS 1.1 and 1.2 as an available protocol on affected systems through registry settings. Microsoft recommends that customers test any new settings for enabling TLS 1.1 or 1.2 prior to implementation in their environments. 

Suggested Actions

  • Apply the update for supported releases of Microsoft Windows

    The majority of customers have automatic updating enabled and will not need to take any action because the 2977292 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

    For administrators and enterprise installations, or end users who want to install the 2977292 update manually, Microsoft recommends that customers apply the update using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2616676

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. 

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Nick Lowe of Lugatech for working with us to provide this security update

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (October 14, 2014): Advisory published.

Page generated 2014-10-09 15:03Z-07:00.