Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
Description: This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would disclose information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network. The security update addresses the vulnerability by ensuring that IPsec rules are processed appropriately.
Update type: Important
Release date: August 12, 2008
Applies to: All
Knowledge base: http://support.microsoft.com/kb/953733
Comments: Here are the specifics on the vulnerabilities covered by this update:
- IPsec Policy Information Disclosure Vulnerability – CVE-2008-2246
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB953733.