Heartbleed, but for Windows – MS14-066 – Critical Vulnerability in Schannel Could Allow Remote Code Execution

This week’s Microsoft Security Bulletin includes a critical patch for interesting and dangerous vulnerability discovered in Windows.  Interesting because it was found by Microsoft’s internal code review team. Dangerous because, much like the some of the well publicized vulnerabilities from earlier this year (HeartBleed or Shellshock) it could enable an attacker to execute malicious code remotely.  Not many details have been released yet, but we do know that it effects servers and desktops/laptops in the same way.  Basically, if the system accepts incoming encrypted communications, it can be vulnerable.

We are expediting the testing and roll-out of the patch for all customers, and working with our various vendors to develop and implement any additional protection mechanisms we may have at our disposal, such as host-based IPS and firewalls.

We have no reports of any attacks “in the wild” using this vulnerability at this point, and will continue to monitor the situation closely.  Microsoft has not released any proof-of-concept code for this vulnerability, which of course makes it harder for the bad guys to weaponize, but also makes it a slower process for other defense mechanisms to build signatures for protecting against it. Not releasing vulnerabilities can be a double-edge sword, but we do have a patch that resolves the issue already issued from Microsoft.

If you’re interested in the deeper technical details, please read on.  As always, should you have any questions, please don’t hesistate to reach out with your concerns.  EI customers should expect to hear shortly on any issues we run into accelerating the patch rate for this vulnerability.

Additional Technical Details

assmblrThe vulnerability can be exploited by sending a specially crafted packet to a vulnerable server. If successful , a memory corruption may create an adequate condition to execute an arbitrary payload remotely. This vulnerability affects SChannel which is a Microsoft’s SSL/TLS library, counterpart to Linux’s OpenSSL.

Microsoft security research team rated this vulnerability at 1, which means that exploit is very likely but have not been see in the wild. The only higher exploitability rating is 0 which  means that an attack has already happened and someone has a working exploit (not the case with MS14-066 yet).

Based on the following criteria,  it is recommended to patch all Windows systems right away.  This vulnerability:

  • affects every Windows OS
  • available from public Internet
  • does not require authentication
  • may result in remote code execution.

Since Microsoft did not specify any workarounds other then patching the affecting systems and after the patch is released, a working exploit may be released soon as well, so this vulnerability’s risk rating could escalate from 1 to 0 very soon.

Just because the bulletin only mentions one vulnerability, doesn’t mean the patch doesn’t actually fix multiple related vulnerabilities. According to Cisco Security blog “While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.”

Reboot is required for this update, so better get your change control request in soon!

Microsoft’s official release on this patch:

https://technet.microsoft.com/en-us/library/security/ms14-066.aspx

Thanks for reading, and stay safe out there!

Leave a Reply