Re: Vista x32 IE7 SSL Security Problem

[PA Bear]

Forwarded to Vista Security newsgroup via crosspost as a convenience to the
OP.

What anti-virus or "internet security" suite are you running?

=> Does this behavior persist if you start IE7 in No Add-ons mode? To start
IE7 in No Add-ons mode:

1. Right-click on the blue IE desktop icon and select Start without Add-ons

2. Start > (All) Programs > Accessories > System Tools > Internet Explorer
(No add-ons).

More:

Troubleshooting and Internet Explorer’s (No Add-ons) Mode:
http://blogs.msdn.com/ie/archive/2006/07/25/678113.aspx

=> Does the problem persist if you Reset IE7 Settings (RIES)?
http://support.microsoft.com/kb/923737 <= Read before using!
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin DTS-L.org

Bathrone wrote:
> Sadly I have not been able to progress this further.
>
> I called Microsoft for support, but they wanted to charge me for it and I
> don't use credit cards. When I explained this was a bug, they retorted
> with
> hints at malware and if indeed it was a bug I would be refunded. Which is
> catch22 when I don't use credit cards. My antimalare product is onecare,
> which since it is not detecting any malware could be considered a bug in
> onecare. Though I doubt it being malware since Kaspersky online scanner
> doesn't detect it, not does Adaware, superantispyware etcet.
>
> I now have a pattern for problem number 2. I open IE and confirm only TLS
> is
> enabled in advanced user preferences. I leave IE closed for a few hours -
> open IE again and immediately goto advanced user preferences and I see SSL
> v2, SSL v3 and TLS all enabled despite my user preference earlier. SSL2 is
> a
> security problem as well.
>
> I don't understand why I'm not getting any help from Microsoft on this
> when
> clearly there is a serious security problem with IE7 on Vista. Even if it
> is
> malware two issues for Microsoft is why oncecare isn't detecting it (and
> other leading anti-malware products) and secondly by what exploit did it
> get
> installed under a well configured Vista install with what I like to think
> is
> a reasonably savvy admin/user on the system.
>
> Asking for support outside of Microsoft has not contributed to the problem
> because I think it will take someone with expert knowledge of windows
> internals.

> I'm on Vista x32 IE7 fully patched to current windows update and the two
> performance and reliability hotfixes. There is three specific problems
>
> 1. I can't establish a 256 bit AES SSL session.
>
> 2. Advanced user preference settings for SSL3 and SSL2 being disabled are
> being re-enabled by something. Even if I disable them again if I apply,
> close IE and wait awhile they will be renabled again if I check the
> advanced
> settings.
>
> 3. I am getting strange recurring error and warning level events in the
> windows system log about SSL.
>
> Details:
>
> Using Firefox alpha 7 I can easily goto
> https://www.fortify.net/sslcheck.html and see I'm running
> DHE-RSA-AES256-SHA. In my IE7 install SSL negotiates AES128-SHA
>
> I have no explanation as to how or why SSL3 and SSL2 are being enabled and
> overwriting user peference.
>
> The details of the system events are:
>
> E1. An error occured while using SSL configuration for socket address
> 192.168.1.2:6331. The error status code is
>
> contained within the returned data. ID: 15021 Source: HTTPEvent
>
> E2. An error occured while using SSL configuration for socket address
> 255.255.255.255:6331. The error status code
>
> is contained within the returned data. ID: 15021 Source: HTTPEvent
>
> W1. SSL Certificate Settings deleted for Port : 192.168.1.2:6331 . ID:
> 15300 Source: HTTPEvent
>
> W2. SSL Certificate Settings created by an admin process for Port :
> 192.168.1.2:6331 . ID: 15301 Source: HTTPEvent
>
> W3. SSL Certificate Settings deleted for Port : 255.255.255.255:6331 .ID:
> 15300 Source: HTTPEvent
>
> W4. SSL Certificate Settings created by an admin process for Port :
> 255.255.255.255:6331 .ID: 15301 Source:
>
> HTTPEvent
>
> W5. SSL Certificate Settings deleted for Port : 255.255.255.255:6331
> .15300
> Source: HTTPEvent
>
> W5. SSL Certificate Settings created by an admin process for Port :
> 255.255.255.255:6331 .ID: 15301 Source:
>
> HTTPEvent
>
> I do not know what so called admin process is doing this. It occurs on
> each
> reboot on my system. The MS online event search facility provides no
> explanation of these events.
>
> My antimalware product reports no problems. The Kaspersky online scanner
> reports no problems. I have gone though the browser helper objects and
> found
> nothing unusual. I have also gone through my running processes and found
> nothing unusual. Same with startup processes.
>
> I am determined to get to the bottom of this problem and would greatly
> appreciate expert advice in helping to diagnose this further.

 

[Bathrone]

Thankyou Robear.

I have previously reset the IE settings as per the KB article and
unfortunately that didn't fix it. I did it again anyway and I don't have 256
aes SSL and the other problems. I gave the no add on ie process a whirl and
still no 256 aes in SSL.

I ended up caving in to Microsoft and paying the support fee via my partners
credit card with the understanding that when hopefully its proven to be a
bug I can get my money back. When I eventually got onto the tech who was
helping me it ended up being unresolved and he indicated he would need to
investigate further and get back to me. In safe mode I get no 256 aes but
interestingly the event viewer syslog error and warning problem events don't
occur - then however if you disable all startup programs and all non MS
services on reboot the events do re-occur.

This has been going on for awhile and I recently wiped my partition after I
suspected my computer had been compromised. The reinstall of Vista x32
ultimate didn't help obviously.

FWIW I'm running the OneCare live beta, but as I mentioned previously I've
also ran Kasperskys online scanner (which is widely regarded to have the
highest detection rate in the industry) and a whole bunch of AntiSpyware
programs which all found nothing.

I've been enjoying Roger Grimes book on Vista security and its pleasing that
Vista is so much better than previous desktop OS's MS has released. Frankly
I don't like the usability of Firefox's gran paradiso and I think IE7 offers
better phishing protection, nicer usability and the protected mode security.
Its a bit ironic though that as soon as I tried gran paradiso it immediately
did 256 aes SSL and I have no alarming preference changes mysteriously
enabling insecure things like sslv2.

There's no real alternative - BSD / Linux is a nightmare for general use and
MacOS is tied to hardware that doesnt suit me. MS has gotten its act
together pretty well since Dos/Win95 and I hope this security problem is
just a small bump in the years I'll be using this operating system.

 

[Bathrone]

Well, Im sticking at this. I have not heard back from MS support, but I
think now I have enough evidence to get my money back on the support fee
they charged me.

What I did was wipe my partition again, and re-install Vista x32. I'm
usually careful, this time I was super careful about what device drivers and
applications I installed. I also made a point to patch the security hotfixes
from windowsupdate before doing anything.

So with the system up I start IE7, again no 256 bit AES. I've been trying to
get someone in the USA with a USA IP on Vista and IE7 to check what ssl
cypher strength they get from (want to clarify a cypher export thing I was
thinking of):

https://www.fortify.net/sslcheck.html

No one has so far cos I think people who dont know better think its some
sort of trap. Would someone try this and tell me the result please.

Then, I closed all my apps and re-opened IE7, confirming that only TLS was
enabled in advanced options and that SSLv2 and SSLv3 were not. Double
checked the setting again. Then I closed IE, no other apps running, only
system services and processes. Woke up in the morning knowing for sure no
user interaction had occured, and I find that SSLv2 and SSLv3 have now
mysteriously been enabled.

 

[Jane C]

With default IE7 settings I got this:
You have connected to this web server using the AES128-SHA encryption cipher
with a key length of 128 bits

--
Jane, not plain ) 64 bit enabled
Batteries not included. Braincell on vacation -)
MVP - Windows Shell/User

"Bathrone" <nospam@world.net> wrote in message
news:eSrRNsT5HHA.484@TK2MSFTNGP06.phx.gbl...
> Well, Im sticking at this. I have not heard back from MS support, but I
> think now I have enough evidence to get my money back on the support fee
> they charged me.
>
> What I did was wipe my partition again, and re-install Vista x32. I'm
> usually careful, this time I was super careful about what device drivers
> and applications I installed. I also made a point to patch the security
> hotfixes from windowsupdate before doing anything.
>
> So with the system up I start IE7, again no 256 bit AES. I've been trying
> to get someone in the USA with a USA IP on Vista and IE7 to check what ssl
> cypher strength they get from (want to clarify a cypher export thing I was
> thinking of):
>
> https://www.fortify.net/sslcheck.html
>
> No one has so far cos I think people who dont know better think its some
> sort of trap. Would someone try this and tell me the result please.
>
> Then, I closed all my apps and re-opened IE7, confirming that only TLS was
> enabled in advanced options and that SSLv2 and SSLv3 were not. Double
> checked the setting again. Then I closed IE, no other apps running, only
> system services and processes. Woke up in the morning knowing for sure no
> user interaction had occured, and I find that SSLv2 and SSLv3 have now
> mysteriously been enabled.

 

[Bathrone]

Thanks Jane but it would appear your in Australia like me (based on your
email addy)

The reason I'm hoping for someone in the USA with a USA IP on Vista IE7 is
to rule out any cipher export restrictions that might be limiting the cipher
strength. So would someone that fits that situation please report what they
get.

 

[Bathrone]

/rant

This just gets worse. After some days of not hearing from MS support I
decide to contact them.

They email me this nonsense about IE7 and SSL from the IE7 blog. Swalling my
frustrations I try to explain that does not contribute anything to the
resolution and is actually pointing out that the support tech doesnt
understand the issues at hand. I actually read that blog entry as part of
the research I did before caving into MS demands for paying a support fee
cos all it does is confirm that what is happening should not be
happening.....So glad I got quality support for my money!

Then I get a response back from the MS support tech asking for sceenshots.
I'm agitated at this time cos I already supplied them many screenshots days
ago that clearly showed what they are now asking for. Go Microsoft support!
I havent had any response about what tangible progress has been made and
where my incident was escalated too.

I will be pushing them for a refund on my support fee cos clearly its a bug.
I've twice now wiped my partition and re-installed. They agreed up front
they would refund the fee when I show its a bug.

I go out of my way to talk up Vista and I'm really a fan of what MS is doing
these days but this experience doesnt taste good!

 

[Seth]

"Bathrone" <nospam@world.net> wrote in message
news:eSrRNsT5HHA.484@TK2MSFTNGP06.phx.gbl...
>
> So with the system up I start IE7, again no 256 bit AES. I've been trying
> to get someone in the USA with a USA IP on Vista and IE7 to check what ssl
> cypher strength they get from (want to clarify a cypher export thing I was
> thinking of):
>
> https://www.fortify.net/sslcheck.html


From the USA...

Vista Ultimate with IE7
You have connected to this web server using the AES128-SHA encryption cipher
with a key length of 128 bits.

XP-Pro with IE6
You have connected to this web server using the RC4-MD5 encryption cipher
with a key length of 128 bits.

Regards,
-Seth

 

[Bathrone]

Total legend Seth, thankyou very much. So it looks like IE7 on Vista is
bugged when it comes to 256 biit aes cipher lengths.

 

[Seth]

"Bathrone" <nospam@world.net> wrote in message
news:eeBDzCY5HHA.5984@TK2MSFTNGP04.phx.gbl...
> Total legend Seth, thankyou very much. So it looks like IE7 on Vista is
> bugged when it comes to 256 biit aes cipher lengths.

Not pretending to know anything about the intricacies behind encryption, my
XP/IE6 machine also showed 128. A different method (RC4 instead of AES) but
still 128.

 

[Steve Riley [MSFT]]

I apologize for the troubles you've been having. The reason you see AES
128-bit rather than AES 256-bit is because of the default order that the
operating system presents for cipher suites. Vista offers AES 128-bit first
in order to minimize performance impacts, so the server selects that. AES
128-bit is more than sufficient for protecting information.

However, if you'd like to change the default offering order, here's how to
do it:

1. Open your group policy editor by entering "gpedit.msc" at a command
prompt.
2. Choose "Computer Configuration | Administrative Templates | Network | SSL
Configuration Settings."
3. There's only one item here: "SSL Cipher Suite Order." Open it.
4. Select "Enabled."
5. Now here's where you need to tread carefully. The first item in the list
is:
TLS_RSA_WITH_AES_128_CBC_SHA
And the second item is:
TLS_RSA_WITH_AES_256_CBC_SHA
Cursor your way through the list. Change that first "128" to "256." Then
cursor forward a bit more and change the "256" to "128."
6. "OK" your way out, close the group policy editor, and reboot.

I'm looking into getting a KB article to document this, and also will see
about making sure the support folks know about it too.


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Bathrone" <nospam@world.net> wrote in message
news:#KTNRiU5HHA.600@TK2MSFTNGP05.phx.gbl...
> /rant
>
> This just gets worse. After some days of not hearing from MS support I
> decide to contact them.
>
> They email me this nonsense about IE7 and SSL from the IE7 blog. Swalling
> my frustrations I try to explain that does not contribute anything to the
> resolution and is actually pointing out that the support tech doesnt
> understand the issues at hand. I actually read that blog entry as part of
> the research I did before caving into MS demands for paying a support fee
> cos all it does is confirm that what is happening should not be
> happening.....So glad I got quality support for my money!
>
> Then I get a response back from the MS support tech asking for sceenshots.
> I'm agitated at this time cos I already supplied them many screenshots
> days ago that clearly showed what they are now asking for. Go Microsoft
> support! I havent had any response about what tangible progress has been
> made and where my incident was escalated too.
>
> I will be pushing them for a refund on my support fee cos clearly its a
> bug. I've twice now wiped my partition and re-installed. They agreed up
> front they would refund the fee when I show its a bug.
>
> I go out of my way to talk up Vista and I'm really a fan of what MS is
> doing these days but this experience doesnt taste good!

 

[Bathrone]

Excellent Steven. Thankyou for a concise and clear explanation to this
issue. I would prefer to run 256 AES simply because the NSA rates that as
being ok for top secret, when 128 isnt. I do however totally appreciate that
128 AES is strong in the cipher sense to known attacks and its more of a
personal whim for 256 than any logical need.

Now if someone can figure out what is causing the sslv2 setting to be
enabled through no user action (and despite my settings for only allowing
tls) I'll be tickle pink.

 

[Frank Saunders, MS-MVP OE/WM]

"Bathrone" <nospam@world.net> wrote in message
news:eGlo3UU5HHA.1208@TK2MSFTNGP03.phx.gbl...
> Thanks Jane but it would appear your in Australia like me (based on your
> email addy)
>
> The reason I'm hoping for someone in the USA with a USA IP on Vista IE7 is
> to rule out any cipher export restrictions that might be limiting the
> cipher strength. So would someone that fits that situation please report
> what they get.

AES cipher, 128-bit key

32-bit Vista Ultimate


--
Frank Saunders, MS-MVP OE/WM
Do not send mail.

 

[PA Bear]

[Thanks for jumping in here, Steve.]
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)

Steve Riley [MSFT] wrote:
> I apologize for the troubles you've been having. The reason you see AES
> 128-bit rather than AES 256-bit is because of the default order that the
> operating system presents for cipher suites. Vista offers AES 128-bit
> first
> in order to minimize performance impacts, so the server selects that. AES
> 128-bit is more than sufficient for protecting information.
>
> However, if you'd like to change the default offering order, here's how to
> do it:
>
> 1. Open your group policy editor by entering "gpedit.msc" at a command
> prompt.
> 2. Choose "Computer Configuration | Administrative Templates | Network |
> SSL
> Configuration Settings."
> 3. There's only one item here: "SSL Cipher Suite Order." Open it.
> 4. Select "Enabled."
> 5. Now here's where you need to tread carefully. The first item in the
> list
> is:
> TLS_RSA_WITH_AES_128_CBC_SHA
> And the second item is:
> TLS_RSA_WITH_AES_256_CBC_SHA
> Cursor your way through the list. Change that first "128" to "256." Then
> cursor forward a bit more and change the "256" to "128."
> 6. "OK" your way out, close the group policy editor, and reboot.
>
> I'm looking into getting a KB article to document this, and also will see
> about making sure the support folks know about it too.
>
>
>
> "Bathrone" <nospam@world.net> wrote in message
> news:#KTNRiU5HHA.600@TK2MSFTNGP05.phx.gbl...
>> /rant
>>
>> This just gets worse. After some days of not hearing from MS support I
>> decide to contact them.
>>
>> They email me this nonsense about IE7 and SSL from the IE7 blog. Swalling
>> my frustrations I try to explain that does not contribute anything to the
>> resolution and is actually pointing out that the support tech doesnt
>> understand the issues at hand. I actually read that blog entry as part of
>> the research I did before caving into MS demands for paying a support fee
>> cos all it does is confirm that what is happening should not be
>> happening.....So glad I got quality support for my money!
>>
>> Then I get a response back from the MS support tech asking for
>> sceenshots.
>> I'm agitated at this time cos I already supplied them many screenshots
>> days ago that clearly showed what they are now asking for. Go Microsoft
>> support! I havent had any response about what tangible progress has been
>> made and where my incident was escalated too.
>>
>> I will be pushing them for a refund on my support fee cos clearly its a
>> bug. I've twice now wiped my partition and re-installed. They agreed up
>> front they would refund the fee when I show its a bug.
>>
>> I go out of my way to talk up Vista and I'm really a fan of what MS is
>> doing these days but this experience doesnt taste good!

 

[Steve Riley [MSFT]]

Well, I gotta admit, this one had me stymied for a bit, too. Found the
answer from a few people internally.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"PA Bear" wrote in message
news:e7eVand5HHA.5984@TK2MSFTNGP04.phx.gbl...
> [Thanks for jumping in here, Steve.]
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
>
> Steve Riley [MSFT] wrote:
>> I apologize for the troubles you've been having. The reason you see AES
>> 128-bit rather than AES 256-bit is because of the default order that the
>> operating system presents for cipher suites. Vista offers AES 128-bit
>> first
>> in order to minimize performance impacts, so the server selects that. AES
>> 128-bit is more than sufficient for protecting information.
>>
>> However, if you'd like to change the default offering order, here's how
>> to
>> do it:
>>
>> 1. Open your group policy editor by entering "gpedit.msc" at a command
>> prompt.
>> 2. Choose "Computer Configuration | Administrative Templates | Network |
>> SSL
>> Configuration Settings."
>> 3. There's only one item here: "SSL Cipher Suite Order." Open it.
>> 4. Select "Enabled."
>> 5. Now here's where you need to tread carefully. The first item in the
>> list
>> is:
>> TLS_RSA_WITH_AES_128_CBC_SHA
>> And the second item is:
>> TLS_RSA_WITH_AES_256_CBC_SHA
>> Cursor your way through the list. Change that first "128" to "256." Then
>> cursor forward a bit more and change the "256" to "128."
>> 6. "OK" your way out, close the group policy editor, and reboot.
>>
>> I'm looking into getting a KB article to document this, and also will see
>> about making sure the support folks know about it too.
>>
>>
>>
>> "Bathrone" <nospam@world.net> wrote in message
>> news:#KTNRiU5HHA.600@TK2MSFTNGP05.phx.gbl...
>>> /rant
>>>
>>> This just gets worse. After some days of not hearing from MS support I
>>> decide to contact them.
>>>
>>> They email me this nonsense about IE7 and SSL from the IE7 blog.
>>> Swalling
>>> my frustrations I try to explain that does not contribute anything to
>>> the
>>> resolution and is actually pointing out that the support tech doesnt
>>> understand the issues at hand. I actually read that blog entry as part
>>> of
>>> the research I did before caving into MS demands for paying a support
>>> fee
>>> cos all it does is confirm that what is happening should not be
>>> happening.....So glad I got quality support for my money!
>>>
>>> Then I get a response back from the MS support tech asking for
>>> sceenshots.
>>> I'm agitated at this time cos I already supplied them many screenshots
>>> days ago that clearly showed what they are now asking for. Go Microsoft
>>> support! I havent had any response about what tangible progress has been
>>> made and where my incident was escalated too.
>>>
>>> I will be pushing them for a refund on my support fee cos clearly its a
>>> bug. I've twice now wiped my partition and re-installed. They agreed up
>>> front they would refund the fee when I show its a bug.
>>>
>>> I go out of my way to talk up Vista and I'm really a fan of what MS is
>>> doing these days but this experience doesnt taste good!
>

 

[PA Bear]

Looking forward to SP1 very much here! <wink>
--
~Robear

Steve Riley [MSFT] wrote:
> Well, I gotta admit, this one had me stymied for a bit, too. Found the
> answer from a few people internally.
>
>
> "PA Bear" wrote in message
> news:e7eVand5HHA.5984@TK2MSFTNGP04.phx.gbl...
>> [Thanks for jumping in here, Steve.]
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE, OE, Security, Shell/User)
>>
>> Steve Riley [MSFT] wrote:
>>> I apologize for the troubles you've been having. The reason you see AES
>>> 128-bit rather than AES 256-bit is because of the default order that the
>>> operating system presents for cipher suites. Vista offers AES 128-bit
>>> first
>>> in order to minimize performance impacts, so the server selects that.
>>> AES
>>> 128-bit is more than sufficient for protecting information.
>>>
>>> However, if you'd like to change the default offering order, here's how
>>> to
>>> do it:
>>>
>>> 1. Open your group policy editor by entering "gpedit.msc" at a command
>>> prompt.
>>> 2. Choose "Computer Configuration | Administrative Templates | Network |
>>> SSL
>>> Configuration Settings."
>>> 3. There's only one item here: "SSL Cipher Suite Order." Open it.
>>> 4. Select "Enabled."
>>> 5. Now here's where you need to tread carefully. The first item in the
>>> list
>>> is:
>>> TLS_RSA_WITH_AES_128_CBC_SHA
>>> And the second item is:
>>> TLS_RSA_WITH_AES_256_CBC_SHA
>>> Cursor your way through the list. Change that first "128" to "256." Then
>>> cursor forward a bit more and change the "256" to "128."
>>> 6. "OK" your way out, close the group policy editor, and reboot.
>>>
>>> I'm looking into getting a KB article to document this, and also will
>>> see
>>> about making sure the support folks know about it too.
>>>
>>>
>>>
>>> "Bathrone" <nospam@world.net> wrote in message
>>> news:#KTNRiU5HHA.600@TK2MSFTNGP05.phx.gbl...
>>>> /rant
>>>>
>>>> This just gets worse. After some days of not hearing from MS support I
>>>> decide to contact them.
>>>>
>>>> They email me this nonsense about IE7 and SSL from the IE7 blog.
>>>> Swalling
>>>> my frustrations I try to explain that does not contribute anything to
>>>> the
>>>> resolution and is actually pointing out that the support tech doesnt
>>>> understand the issues at hand. I actually read that blog entry as part
>>>> of
>>>> the research I did before caving into MS demands for paying a support
>>>> fee
>>>> cos all it does is confirm that what is happening should not be
>>>> happening.....So glad I got quality support for my money!
>>>>
>>>> Then I get a response back from the MS support tech asking for
>>>> sceenshots.
>>>> I'm agitated at this time cos I already supplied them many screenshots
>>>> days ago that clearly showed what they are now asking for. Go Microsoft
>>>> support! I havent had any response about what tangible progress has
>>>> been
>>>> made and where my incident was escalated too.
>>>>
>>>> I will be pushing them for a refund on my support fee cos clearly its a
>>>> bug. I've twice now wiped my partition and re-installed. They agreed up
>>>> front they would refund the fee when I show its a bug.
>>>>
>>>> I go out of my way to talk up Vista and I'm really a fan of what MS is
>>>> doing these days but this experience doesnt taste good!

 

[Bathrone]

Me too PA Bear. Whats cool is I heard that the x64 version will supporting
turfing the bios and going EFI.

I test software / manage software testing professionaly. I joined connect
but I dont have an invite from MS. I still love them though Its true, I
cant help it. I heard a rumour that technet style more open test release
will be early Sept.