Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012


View products that this article applies to.

INTRODUCTION

Microsoft has released security bulletin MS12-006. To view the complete security bulletin, go to one of the following Microsoft websites: 

How to obtain help and support for this security update


Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

↑ Back to the top


Fix it for me

Two Fix it solutions are available.
  • Fix it solution for Transport Layer Security (TLS) 1.1 in Internet Explorer: This solution enables TLS 1.1, which is not affected by this vulnerability, in Windows Internet Explorer. Most typical users should install this Fix it solution. 
  • Fix it solution for TLS 1.1 on Windows-based servers: This solution enables TLS 1.1, which is not affected by the vulnerability. 
The Fix it solutions that are described in this section are not intended as replacements for any security update. We recommend that you always install the latest security updates. However, we offer these Fix it solutions as workaround options for some scenarios. 

For more information about the workarounds, see security bulletin MS12-006:
The bulletin provides more information about the issue and includes the following:
  • The scenarios in which you might apply or disable the workaround
  • Mitigating factors
  • Workarounds
  • Frequently asked questions
Specifically, to see this information, look for the Vulnerability Information section, and then expand the Workarounds paragraph under the SSL and TLS Protocols Vulnerability - CVE-2011-3389 paragraph.

Fix it solution for TLS 1.1 on Internet Explorer

To enable or disable this Fix it solution, click the Fix it button or link under the Enable or Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it Wizard.
EnableDisable

Notes

  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. 

Fix it solution for TLS 1.1 on Windows-based servers

To enable or disable this Fix it solution, click the Fix it button or link under the Enable or Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it Wizard.
EnableDisable

Notes

  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. 

↑ Back to the top


Known issues with this security update

After you install this security update, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers.

To temporarily disable or re-enable this security update, click the Fix it button or link under the Disable the security update or Re-enable the security update heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Disable the security update Re-enable the security update
Notes
  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem. 
The following table shows the values that are applied by these Fix it solutions to the SendExtraRecord registry DWORD entry:
Heading Value applied to SendExtraRecord entry
Disable the security update 2
Re-enable the security update 0
Note The SendExtraRecord setting will be included in future releases of Windows.

Known issues and additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link:
  • 2585542 MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012
  • 2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012

Registry information

Not recommended We do not recommend that you use the following procedure to disable this security update. However, we provide this procedure for scenarios in which you may be using applications that are incompatible with this security update, which enables split SSL records for all applications.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


By default, this security update sets the Opt-in mode at the schannel level, because of application compatibility issues. To disable this security update for all applications system-wide, you must add a DWORD value that's named SendExtraRecord and that has a value of 2 to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
To add this schannel registry entry registry entry, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type SendExtraRecord for the name of the DWORD value, and then press Enter. 
  5. Right-click SendExtraRecord, and then click Modify.
  6. In the Value data box, type 2 to disable the split record in schannel, and then click OK.
  7. Exit Registry Editor.
This registry entry can have three values, and each value provides different modes of operation:
Reg-key Value Description
0By default, schannel is included in "Optin Mode." This means that this security update will work for all the callers who send the Secure flag to schannel. The "SendExtraRecord" schannel registry entry will not be created by the security package. Therefore, no schannel registry entry means the system is running this mode. If someone creates this registry key and set the value to 0, schannel will again run in this mode.

This setting has the same effect as not creating this registry entry at all. Applications that send a Secure flag to schannel during session initialization will only exercise the fixed secure code path. For other applications, there will be no change in schannel behavior.

This security update also fixes the application layers that are involved in web browsing by using Internet Explorer to send the Secure flag, in order to help secure the browser usage scenarios.

Note In Windows Server 2003, security update 2638806 must be installed to help secure HTTP client applications that use WinHTTP APIs. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 
2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012
1 Setting the value to 1 means "enabled for all." This means callers do not have to send the flag, and the schannel will split all SSL records. With this value set, applications do not have to take any change. A customer who is very concerned about system security can help make their system safer by enabling this registry key.
2 Setting the value to 2 means "disabled for all." This means that the schannel will not split the records for any encryption call that the application makes. This mode does not honor the Secure flag that an application sends.
Based on internal testing, we found that you cannot feasibly set the registry value to 1 because it can break too many scenarios in an enterprise. Therefore, we discourage users from using it.

Known issues with enabling the SendExtraRecord registry entry

  • Setting the SendExtraRecord registry value to 1 enforces record-splitting in every call to encrypt data in schannel. This occurs regardless of whether the caller sent the Secure flag during session initialization.
  • Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications.
  • Broken applications include Microsoft products and in-box components. The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:
    • All SQL products, and applications that are built onto SQL.
    • Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows.
    • Some Routing Remote Access Service (RRAS) scenarios.
Setting the SendExtraRecord registry value to 1 enforces the secure record-splitting for all applications that use Windows TLS/SSL. However, this setting is likely to have application compatibility issues. Therefore, we recommend that customers configure TLS 1.1 and TLS 1.2 instead of using this registry setting. TLS 1.1 and TLS 1.2 are not vulnerable to this issue.

If a user intends to use this registry setting, we recommend that they extensively test application compatibility testing before they implement it. Some common products that are known to be affected by this setting include Microsoft SQL products, Windows Terminal Server, and Windows Remote Access Server.

↑ Back to the top


FAQ

Q: What can Microsoft do to help me fix my server-side application?
A: Make sure that your application can handle the Fragmentation of SSL/TLS application records, as described in the following RFCs:

↑ Back to the top


Keywords: kb, atdownload, kbfix, kbbug, kbexpertiseinter, kbmustloc, kblangall, kbsecurity, kbsecbulletin, kbsecreview, kbsecvulnerability, kbsurveynew

↑ Back to the top

Article Info
Article ID : 2643584
Revision : 1
Created on : 1/7/2017
Published on : 4/17/2014
Exists online : False
Views : 490