MS12-006 MS12-006 - Important : Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) - Version: 1.3
Version2013-07-17
Severity Rating: Important
Revision Note: V1.3 (July 17, 2013): Corrected the update replacement for the 2585542 update. This is a bulletin change only. There were no changes to the detection logic or update files.
Summary: This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Bulletin details at Microsoft.com
Bulletin details at Microsoft.com
Related CVE Entries
CVE-2011-3389
Public exploit
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Max CVSS
4.3
EPSS Score
0.85%
Published
2011-09-06
Updated
2022-11-29