Tech firms patch 'Beast' SSL flaws

Microsoft, Google, and Mozilla developers are addressing a flaw in SSL encryption that could allow an attacker to decrypt intercepted traffic.

Microsoft said that it would bring out a patch for the flaw in an advisory on Monday. The patch could be out-of-cycle or in-band, depending on the impact of the flaw on customers, the company said.

"Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system," the company said. "This vulnerability affects the protocol itself and is not specific to the Windows operating system."

The flaw, which has been known for a number of years, was successfully exploited by security researchers Juliano Rizzo and Thai Duong. Rizzo and Duong demonstrated a proof-of-concept (PoC) tool called 'Browser Exploit Against SSL/TLS' (Beast) at the Ekoparty security conference on 23 September. The Beast PoC allows a man-in-the-middle attack on a browser session. SSL is used by many websites to encrypt financial transactions.

The duo reported the vulnerability to browser, plugin and SSL vendors "several months ago", Duong said in a blog post on Sunday.

Mozilla developers are currently working on a fix for Firefox, while Google developers are in the process of modifying the Chrome browser.