Microsoft Security Advisory 3155527
Update to Cipher Suites for FalseStart
Published: May 10, 2016
Version: 1.0
Executive Summary
FalseStart allows the TLS client to send application data before receiving and verifying the server Finished message. This allows an attacker to launch a man-in-the-middle (MiTM) attack to force the TLS client to encrypt the first flight of application_data records using the attacker’s chosen cipher suite from the client’s list. To avoid downgrade attacks, TLS clients only allow FalseStart when their strongest cipher suites are negotiated.
This advisory update provides a routine maintenance of the list of cipher suites that can be used with FalseStart. This update has no impact on connectivity or interoperability.
For additional details and deployment guidance, see Microsoft Knowledge Base Article 3155527.
Affected Software
| Operating System |
|---|
| Windows 8.1 for 32-bit Systems |
| Windows 8.1 for x64-based Systems |
| Windows Server 2012 |
| Windows Server 2012 R2 |
| Windows RT 8.1 |
| Windows 10 for 32-bit Systems |
| Windows 10 for x64-based Systems |
| Windows 10 Version 1511 for 32-bit Systems |
| Windows 10 Version 1511 for x64-based Systems |
| Server Core installation option |
| Windows Server 2012 (Server Core installation) |
| Windows Server 2012 R2 (Server Core installation) |
Advisory FAQ
What is the scope of the advisory?
To announce the availability of an update to the list of cipher suites that can be used with FalseStart.
What does the update do?
The update provides the latest list of cipher suites that can be used with FalseStart. This update has no impact on connectivity or interoperability.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Feedback
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Support
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (May 10, 2016): Advisory published.
Page generated 2016-05-04 10:20-07:00.