Microsoft warns of SSL/TLS vulnerabilities

How does this affect OCS?

First of all, this isn't just another Microsoft security flaw. Microsoft has filed this with ICASI as a general security vulnerability affecting multiple implementations of TLS and SSL. Moreover, Microsoft has noted it affects every currently supported version of Microsoft operating systems from Windows 2000 to Windows 7 and Server 2008 R2.

Great news, but why am *I* posting about it? Simple, Microsoft OCS is architected completely around TLS for its security. I guess the good news is there are no known exploits in the wild, but I'm sure it's only a matter of time before there are. With a hole this big, it may take awhile for all the vendors involved to issue patches.

Based on Security Advisory 977377 which Microsoft issued just hours ago, it seems that OCS could be affected. I don't know how trivial the implementation would be but the article describes a MITM, man in the middle, attack accomplished through DNS spoofing. Or, it could also be the the TLS/SSL encryption renogiation process is different enough in OCS so as not to be affected. More info as it becomes available.

• Microsoft
• Microsoft
• OCS
• Office Communications Server
• security