Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2074 Microsoft Security Bulletin MS15-089: Vulnerability in WebDAV Could Allow Information Disclosure (3076949) 12 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-2476 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS15-089 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS15-089: Vulnerability in WebDAV Could Allow Information Disclosure (3076949) Bulletin Number: MS15-089 Bulletin Title: Vulnerability in WebDAV Could Allow Information Disclosure Severity: Important KB Article: 3076949 Version: 1.0 Published Date: August 11, 2015 Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. This security update is rated Important for all supported releases of Microsoft Windows except Itanium servers and Windows 10, which are not affected. For more information, see the Affected Software section. Affected Software Windows Vista Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 Windows Server 2008 for 32-bit Systems Service Pack 2[1] Windows Server 2008 for x64-based Systems Service Pack 2[1] Windows 7 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1[1] Windows 8 and Windows 8.1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 and Windows Server 2012 R2 Windows Server 2012[1] Windows Server 2012 R2[1] Windows RT and Windows RT 8.1 Windows RT[2] Windows RT 8.1[2] [1]Servers are affected only if Desktop Experience is installed. [2]This update is available via Windows Update only. Vulnerability Information WebDAV Client Information Disclosure Vulnerability - CVE-2015-2476 An information disclosure vulnerability exists in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client that is caused when it explicitly allows the use of Secure Socket Layer (SSL) 2.0. An attacker who successfully exploited this vulnerability could decrypt portions of encrypted traffic. To exploit the vulnerability, an attacker could force an encrypted SSL 2.0 session with a WebDAV server that has SSL 2.0 enabled and use a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. The security update addresses the vulnerability by ensuring that the Microsoft WebDAV client defaults to more secure protocols than SSL 2.0. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVcqMx36ZAP0PgtI9AQJO2A/8DdSiKSctICeQUUTRVKFIN9gGzfYzVOMP oSyUEwrnMCCM9OuOEvXWCCpmbVflFofCYjtQrG1a/H14Z0KyX/9qZAte/e/YO51e xb7lC7I2sUT6Hh5ps7OR7zHqiOOofHf5HRr6lZeSChyOWhWTvuy5AFQFd+cTSkXU xzs4ecgxxrkkaSusObK2okNFwsxw5SMcM+B3cmiXhDpGCMNRnu6QkPEEBfyhuHe7 Hi8tbipBcTNZ0Fk5j9aW97OzBGUbqXzl0nO61lP8JF5+eQQ3LKcwBEDAsx9Tu3co 04Sr/bCMhO9Cq9YsagY24gfSwBRYZzPdd9YOr9O5VQE18IGLBKH7+mNoIfZhTmly vVCK6jIwNwlgqBsDozENqrSY7aVmMHKPymysJQRFz9HIlK3YlXEwqpVTE/xzuLBQ FqpBWspX6L6jp9BH/zIFmNvSDj4pe7pMN+thAS5T30MbSXyjW6eIcG8PWLkytxui l30GdSGix49AzOdEGK3w7Dn5MsdHtzGuxPj3Vb1YLcgeP4QtxGRzZRoeBeoXI4fZ Pl6Jw8bHhQm4PlgkLQ1GjhxhyRdBoR6Ishk4Bbi358GjRUgh7QASVW/rUgtSSVTq ODSJGzT7yRgSOUq7CaZaY8o+pWOTyqCzpK19qqLQqg4bu4iKdk1tL+3FFQTD9yBl K1+Pp9z7zYs= =AMkr -----END PGP SIGNATURE-----