<script></script><META http-equiv="Content-Type" content="text/html; charset=utf-8"> <HTML><HEAD></HEAD> <BODY> <DIV id=idOWAReplyText16260 dir=ltr> <DIV dir=ltr><FONT face=Arial color=#000000 size=2><FONT face=Arial size=2> </FONT> <H1>Information about code that attempts to exploit PCT in SSL</H1><BR> <P class=date>Published: April 22, 2004</P> <P>Microsoft is aware of reports of code available on the Internet that seeks to exploit certain issues addressed in our April 13 security updates. This so-called exploit code affects the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Microsoft considers these reports credible and serious and urges all customers to immediately install <A href="x-excid://E0710000/pas:http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx" target=_blank>Security Update MS4-011</A> as well as the other critical updates provided on April 13. Here is what we currently know about this issue:</P> <UL> <LI>If you are using a home computer or a non-Web server, you should install the update from <A href="x-excid://E0710000/pas:http://windowsupdate.microsoft.com/" target=_blank>Windows Update</A> to help ensure that your systems are not at risk. <LI>If you have installed and deployed Security Update MS04-011, you are <B>not</B> at risk for this issue. <LI>All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. These services include, but are not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL ServerT 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections. <LI>If you have deployed Windows XP or Windows 2000 and enabled SSL, <B>you are at risk</B>. <LI>If you have deployed Windows ServerT 2003 and enabled PCT in SSL, <B>you are at risk</B>. <LI>If you are still evaluating and testing Security Update MS04-011, you should immediately implement the mitigation steps detailed on this page.</LI></UL><PRE></FONT><A href="http://www.microsoft.com/security/incident/pctdisable.asp">http://www.microsoft.com/security/incident/pctdisable.asp</A></PRE></DIV></DIV></BODY></HTML>