PCT was an attempt by Microsoft to establish their own variant of the SSL protocol. Based on SSL version 2, it addressed some of the weaknesses in the earlier protocol, and has been supported since IIS version 4. The standard was not widely adopted outside of Microsoft’s own products, and SSL version 3 became the general standard. Microsoft appear to have conceded defeat, and Windows Server 2003 has SSLv3 enabled and PCT disabled by default. The likely outcome of this latest vulnerability will be the abrupt death of PCT, as administrators disable it on all older servers.

SSL sites could be expected, in theory, to be more actively maintained and patched than other machines. However, our experience has been that SSL servers are often treated with a surprising lack of urgency by system administrators. Also, some vulnerability scanners and intrusion detection systems are not set up to monitor SSL sites, making them seem a lower priority for security patching.

Many sites performing critical financial transactions use either Win2K or NT4, including Official Payments, which handlines online tax payment for the Internal Revenue Service and is likely processing a surge of last-minute e-filings ahead of tomorrow’s U.S. income tax filing deadline. Auction site eBay, a favorite target of Internet scams, runs its CGI servers on Windows NT4 and its payments.ebay.com servers on Windows 2000. Many other leading retailers and financial institutions host financially significant web sites on Microsoft-IIS systems including Dell Computers, Bank One, Merrill Lynch and Prudential.

Sans noted a sharp spike in remote scans of port 443, on Friday, suggesting that some attackers were familiar with the problem ahead of the announcements from ISS and Microsoft, and were actively trying to make best use of their window of opportunity before Microsoft made patches available.