Man-in-the-Middle

Weaknesses in MS-CHAPv2 authentication

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759.  A recent presentation by Moxie Marlinspike [1] has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length.  Today, we published Security Advisory 2743314 with recommendations to mitigate the effects of …

Weaknesses in MS-CHAPv2 authentication Read More »

Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates

Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those …

Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates Read More »

MS10-049: An inside look at CVE-2009-3555, the TLS renegotiation vulnerability

This issue was identified by security researchers Marsh Ray and Steve Dispensa. The vulnerability exists because certain Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protected protocols assume that data received after a TLS renegotiation is sent by the same client as before the renegotiation. Renegotiation is TLS functionality that allows either peer to change the …

MS10-049: An inside look at CVE-2009-3555, the TLS renegotiation vulnerability Read More »

MS10-030: Malicious Mail server vulnerability

Today we released the fix for CVE-2010-0816 in MS10-030. This vulnerability affects Outlook Express, Windows Mail, and Windows Live Mail. We recommend that you install the update as soon as possible, but realize that some customers may need to prioritize which updates they install first. While the vulnerability is rated critical, many customers may not …

MS10-030: Malicious Mail server vulnerability Read More »