Microsoft TLS/SSL CVE-2016-0149 Information Disclosure Vulnerability

Description

An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets. Important: Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments. In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.

Affected Applications

Microsoft .NET Framework 4.6 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows RT 8.1
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows Vista x64 Edition Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.6 on Windows Vista x64 Edition Service Pack 2
Windows 8
Windows 7
Windows 10
Windows Server 2008
Windows Server 2012
Microsoft .NET Framework 4.6/4.6.1 on Windows RT 8.1

CVE References

Other References