Drop what you're doing and patch the Windows Schannel bugs now

Drop what you're doing and patch the Windows Schannel bugs now

Summary: One Microsoft security update from yesterday stands out from the rest for severity and unanswered questions. Apply the MS14-066 update now or at least make sure your IPS has updates for it.

SHARE:
39

It didn't take me long yesterday to realize that the stand-out vulnerability disclosed by Microsoft was MS14-066 "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)". I know you know it's rated critical, but this one is different. Drop everything and apply it. At the very least make sure that your IPS systems have updates to deal with it.

Microsoft's description of the vulnerability is terse, but ominous: "An attacker who successfully exploited this vulnerability could run arbitrary code on a target server. An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server." In other words, if I can send packets to the server, I can run my code on it in the context of Schannel. This is an extremely big and bad thing.

Schannel is the component of Windows that implements SSL/TLS. (This is, by the way, the reason they took this opportunity to add some new ciphers to the Windows TLS suite, as long as they were already updating schannel.dll.) It is the equivalent of significant parts of OpenSSL.

Speaking of OpenSSL (and BASH and other open source programs which have recently experienced major vulnerability disclosures), MS14-066 underscores a major difference in the way Microsoft does things. At the same time we learned about Heartbleed and Shellshock, we learned full details of the vulnerabilities and the full horror of their implications.

Not so with the Schannel bug (the vulnerability with no name yet). Unlike Bash and OpenSSL, patches don't include source code, and so far nobody is publishing details of the vulnerability, although there's reason to believe someone will. More about this below.

Is it just one vulnerability as Microsoft says? They use the singular in their bulletin and assign it just one CVE number (CVE-2014-6321). But a Cisco/Talos blog on yesterday's updates says "...there's actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses." Talos is basically Sourcefire, the IPS people, so they likely received information about the vulnerability from Microsoft through the MAPP program to help them to develop Snort/Sourcefire signatures for it. (Perhaps they aren't supposed to blab... make that 'blog' about it like this.)

But it just goes to show that we don't know much about the Schannel but other than that it has the potential to be catastrophic and as easy to exploit as Shellshock. Based on what Microsoft says, it might be possible for a remote, unauthenticated attacker to build a man-in-the-middle attack directly into Schannel. It's the zombie apocalypse.

Some more confusion over this bug: The Microsoft bulletin says that it was "privately reported," but a Microsoft SRD (Security Research and Defense) blog from yesterday says it "Internally found during a proactive security assessment." Add to that the line in the bulletin that says "Microsoft received information about this vulnerability through coordinated vulnerability disclosure" and the source of this vulnerability or vulnerabilities to Microsoft becomes utterly opaque.

The phrase "coordinated vulnerability disclosure" implies that someone else should be disclosing details of the vulnerability, usually whoever found it and disclosed it to Microsoft. I'm aware of no such disclosure, but once we do know more we will know just what mischief it/they makes possible.

In the meantime the only responsible thing to do is to assume the worst. Make sure there are signatures for your IPS to detect and block exploits of this vulnerability/these vulnerabilities. Apply the updates ASAP.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • Article: "Internally found during a proactive security assessment."

    Proactive? One really has to wonder if Microsoft's security assessment of Schannel was reactive to both Apple's "goto fail" and, especially, OpenSSL's HeartBleed vulnerabilities since, as stated in the article:

    "Schannel is... the equivalent of significant parts of OpenSSL."
    Rabid Howler Monkey
    • P.S. Any idea of when this vulnerability was introduced into Schannel?

      Rabid Howler Monkey
      • If correct

        “First, this means that significant vulnerabilities can go undetected for some time. In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years.”

        IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows

        http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VGOkvXW9_NN
        daikon
        • The CVE for the Schannel vuln is CVE-2014-6321

          The CVE for the vuln in your link is CVE-2014-6332. Thus, they are different vulnerabilities.
          Rabid Howler Monkey
          • Thanks for the correction.
            daikon
  • patch the Windows Schannel bug(s) now

    SChannel vuln - dubbed WinShock

    "Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a severe vulnerability this year," security engineer Tony Arcieri

    Annus HORRIBILIS! ALL the big TLS stacks now officially pwned in 2014
    http://www.theregister.co.uk/2014/11/12/ms_crypto_library_megaflaw/
    daikon
    • I guess you can FINALLY breath a sigh of relief then

      I can only imagine how excruciating it must have been going all this time without a counter.

      With this, you can now tell yourself that all is fine, OpenSSL, GNUTLS, NSS, ect issues really weren't a problem after all....

      ;)
      William.Farrel
      • Mr. Phorah

        Needs a hug.....
        daikon
        • Mispelling

          When he first appeared on ZDNet, he spelled his surname as "Pharaoh". And no, I don't think all those other monikers associated with him by a certain troll are really his sockpuppets.
          John L. Ries
  • Disclosure

    IMO for Microsoft to disclose details of this vulnerability only facilitates exploiting it between disclosure and the time the last Windows user installs the patch. Not to mention those unlucky enough to still be running XP, which will be vulnerable to this forever. I don't need details, and the new TLS ciphers (some of which enable PFS) would be enough for me even without the patch.
    dbnick
    • So... Which is worse?

      Heartbleed? or Schannel?

      And which one can't be patched...ever.
      jessepollard
      • Not what you had in mind...

        The bug in old Windows versions can be patched by upgrading to a newer version. The heartbleed bug which is included in some abandoned open source projects can be patched by hiring couple of developers to update the open source project.
        So both can be patched, but updating the Windows version sounds a lot easier.
        Sacr
        • And hardware

          that the manufacturer no longer supports and won't bring out firmware patches. That is a big problem.
          wright_is
      • Heartbleed, of course

        Or else you wouldn't have had to deploy your misdirection tools as you just did.
        William.Farrel
        • I think what he meant was...

          ...it's a lot easier to replace OpenSSL on old UNIX and Linux installations than it is to apply a patch to no longer supported Windows systems.
          John L. Ries
          • Patch

            The patch for an unsupported version of Windows is to upgrade that old unsupported version to a supported version of Windows.
            IE11
    • Advance disclosure reasons????

      As mentioned, "...only facilitates exploiting it...". Sadly this seems to have been the typical case for just about every vulnerability published... Must be OS / software companies believe it better to provide public notice, as opposed to attempting to:
      A: Push the patch
      B: Discover at least major customers, and advise privately.
      This, regardless of the fact that after publishing, the possibility of more exploits may increase multi-fold.
      Lazy business practices, IMHO, but then I guess we all tend to buy into them anyway. Convenient methods typically compromise security.... which is more important to YOU?
      Willnott
  • Max Exploitability: 1

    Why doesn't Microsoft think it is a case of "stop your life and patch your systems asap"?

    Or, in other words, why do you think it is?

    Max Exploitability: 1
    Rikkrdo
    • Ooops please delete

      Ooops please delete

      (Just found it is inverse score lol)
      Rikkrdo
  • Thanks

    Thanks
    ITOdeed