Microsoft warns of problems with Schannel security update

The mysterious and critical Schannel vulnerability also contained some new TLS ciphers which are causing problems. Here's how to work around them.

Microsoft has issued a warning in the knowledge base article for the MS14-066 update released this past week. The company has provided a workaround, but is not recommending that users avoid the update or uninstall it.

The update fixed at least one critical vulnerability in Schannel, Microsoft's implementation of SSL/TLS encryption. It has widely been considered highly critical and last week we urged users to apply the update as soon as possible.

But some users who apply the update are having serious problems. The issues occur in configurations in which TLS 1.2 is enabled by default and negotiations fail. When this happens, according to Microsoft, "TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive." There may also be an event ID 36887 in the System event log withe description "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40."

In addition to the security updates, the MS14-066 update includes some new features: four ciphers for TLS. These ciphers are somehow the cause of the problem. To work around the problem, delete the four new ciphers:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

For specific instructions on how to do this see the KB article.

There remains much that is unclear about this update. Various references to it by Microsoft and others in privileged positions say that it fixes one vulnerability or several, that it was reported to the company by outsiders or was found via internal testing. Also the security bulletin is very light on specifics about the vulnerability other than that there are no mitigating factors.

Hat tip to the Internet Storm Center at the SANS Institute.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All