All posts by Oleg Laskin

Heartbleed, but for Windows – MS14-066 – Critical Vulnerability in Schannel Could Allow Remote Code Execution

This week’s Microsoft Security Bulletin includes a critical patch for interesting and dangerous vulnerability discovered in Windows.  Interesting because it was found by Microsoft’s internal code review team. Dangerous because, much like the some of the well publicized vulnerabilities from earlier this year (HeartBleed or Shellshock) it could enable an attacker to execute malicious code remotely.  Not many details have been released yet, but we do know that it effects servers and desktops/laptops in the same way.  Basically, if the system accepts incoming encrypted communications, it can be vulnerable.

We are expediting the testing and roll-out of the patch for all customers, and working with our various vendors to develop and implement any additional protection mechanisms we may have at our disposal, such as host-based IPS and firewalls.

We have no reports of any attacks “in the wild” using this vulnerability at this point, and will continue to monitor the situation closely.  Microsoft has not released any proof-of-concept code for this vulnerability, which of course makes it harder for the bad guys to weaponize, but also makes it a slower process for other defense mechanisms to build signatures for protecting against it. Not releasing vulnerabilities can be a double-edge sword, but we do have a patch that resolves the issue already issued from Microsoft.

If you’re interested in the deeper technical details, please read on.  As always, should you have any questions, please don’t hesistate to reach out with your concerns.  EI customers should expect to hear shortly on any issues we run into accelerating the patch rate for this vulnerability.

Additional Technical Details

assmblrThe vulnerability can be exploited by sending a specially crafted packet to a vulnerable server. If successful , a memory corruption may create an adequate condition to execute an arbitrary payload remotely. This vulnerability affects SChannel which is a Microsoft’s SSL/TLS library, counterpart to Linux’s OpenSSL.

Microsoft security research team rated this vulnerability at 1, which means that exploit is very likely but have not been see in the wild. The only higher exploitability rating is 0 which  means that an attack has already happened and someone has a working exploit (not the case with MS14-066 yet).

Based on the following criteria,  it is recommended to patch all Windows systems right away.  This vulnerability:

  • affects every Windows OS
  • available from public Internet
  • does not require authentication
  • may result in remote code execution.

Since Microsoft did not specify any workarounds other then patching the affecting systems and after the patch is released, a working exploit may be released soon as well, so this vulnerability’s risk rating could escalate from 1 to 0 very soon.

Just because the bulletin only mentions one vulnerability, doesn’t mean the patch doesn’t actually fix multiple related vulnerabilities. According to Cisco Security blog “While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.”

Reboot is required for this update, so better get your change control request in soon!

Microsoft’s official release on this patch:

Thanks for reading, and stay safe out there!

Offender’s Advantage Series – Introduction

“… Dear Defender,

Your castle’s walls are high and your moats are wide. Your soldiers are many and their swords are sharp. You seem impenetrable.

But I have something that you lack. Time, dear defender, is on my side. I will continue to strike every inch of your walls from afar until I find a crack in the brick that I can exploit. I will locate every builder of your castle and find every blueprint. Your moats may be very wide but they are not deep throughout.  There are shallow places that in the dark of the night I can cross. Time will pass and your walls will begin to wear out and crumble. Cracks will start to form and your walls will be weakened.

And most importantly, your repairs are many. You cannot keep up with time. As you patch the cracks in the walls, new ones appear. Old foundation is buried under the new one and while still holding the castle, it can no longer be repaired. You distract yourself with one “big” break in your wall while ignoring many others.

Your castle is populous. So many people have access to open your castle doors from the inside. Be careful, not all can be trusted. With time I can find one that has a weakness.

You built your castle to be strong, but you did not build it to last. Time destroys all and I, the offender have all the time. So that is why I say to you – the time is on my side.

Offender …”

While organization’s defenses may be at its strongest, the bigger the attack surface, the more there is a chance that a critical vulnerability is missed. With new vulnerabilities coming out every day and it seems like the critical ones, you know they ones that affect everyone and seem to be in everything, are at least one per month. It is only a matter of time before an attacker finds one that was missed, or one that just came out and have not yet been been patched. An attacker will always have the advantage of time. A determined attacker will find a way in. Its only a matter of time. All software is eventually outdated. The more devices there are on the network, the more patches there are to install. Most organizations, lack resources and time to patch every system. Systems are interconnected and new software has been developed to depend on old systems.
The battlefield has not changed since the middle ages into the cyber age. The problems are still the same and offenders always seem to have the upper hand. Defenders job is to continuously play catch up. Until we have new ways to build our castles and dig our moats and to educate our people, defenders will be behind the curve. The solution is in building security in from the beginning. Create systems that are based on security principles. We are are on our way but the journey will be long.
This offender’s advantage series will attempt to examine the ways of the attacker, whether it is a penetration tester or a malicious entity. I will attempt to draw a parallel between the cyberspace and historical battlefields to examine the offender’s advantage. I will try to explain some of the techniques in an easy to understand, non-technical language to provide insight into the hacker’s world in plain English.
Thanks for reading, and we look forward to sharing the rest of the series with you!