Every major TLS stack had critical security issues in 2014
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
November 12, 2014
The surfacing of a critical security vulnerability in Microsoft SChannel, patched as part
of a bumper November Patch Tuesday yesterday simply means that every major TLS stack has now
fallen to a critical security flaw at some time during 2014.
Described as MS14-066, the security hole in Microsoft's TLS cryptography library opens the
door to remote code execution on unpatched servers, Microsoft warns.
As such, the security vulnerability is arguably even worse than the infamous Heartbleed
vulnerability in OpenSSL, which, although easy to exploit, was only an information disclosure
The Microsoft SChannel vulnerability (called WinShock by some) carries the potential risk
that it might be exploited to push malicious code onto vulnerable systems, something not possible
Apple SecureTransport technology needed patching back in April while GnuTLS had not just
one, but two very nasty flaws during 2014.
"Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a
severe security vulnerability so far this year," said security engineer Tony Arcieri in a note.
As well as patching the critical security flaw in Microsoft SChannel, Microsoft also used
the update to add support for four new cipher suites.
"This update includes new TLS cipher suites that offer more robust encryption to protect customer
information," Microsoft explains in its notice. "These new cipher suites all operate in Galois/counter
mode (GCM), and two of them offer perfect forward secrecy by using DHE key exchange together with
Unusually, Microsoft admits that there are no mitigating factors against the security vulnerability
and no workarounds. "An attacker who successfully exploited this vulnerability could run arbitrary
code on a target server" using malicious packets, it warned.
Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003 are all vulnerable to this TLS
Additionally, workstations running Vista, Windows 7 and Windows 8 are also on the critical list
but perhaps not in quite so much immediate danger.
This is just as bad as it gets and about the only small piece of comfort comes from an absence of
reports (for now at least) that the SChannel security flaw is under attack.
Curiously though, there's no real acknowledgement on who reported the security flaw to Microsoft
in the first place, leaving wide open the possibilities that it was either discovered internally and
privately reported by an entity that didn't want any credit.
Gavin Millard, EMEA technical director for Tenable Network Security, urged immediate patching
to defend against WinShock.
“Is 'WinShock' as bad as ShellShock and Heartbleed? At the moment, due to the lack of details
and proof of concept code, it’s hard to say, but a remote code execution vulnerability affecting
all versions of Windows server on a common component like Schannel is up there with the worst of
them," Millard said.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped
on the exact details of this security vulnerability, it won’t be long until one does which could be
disastrous for any system admin that hasn’t updated yet.
"It is of critical importance that all versions of Windows are updated due to the ability
of attackers to execute code on the server remotely, allowing them to gain privileged access
to the network and lead to further exploitation such as infect hosts with malware or rootkits
and the exfiltration of sensitive data," he added.
Microsoft’s November Patch Tuesday available yesterday with 14 security bulletins, of which
four are listed as very critical, collectively covered forty security vulnerabilities.
The critical SChannel security flaw might not even be the most pressing candidate for triage,
according to some patching experts. That "honor" goes to a fix for a vulnerability which created
a means to booby-trap PDF files that has been a theme of recent hacker action.
Ross Barrett, senior manager of security engineering at Rapid7, advised-- "The top patching
priority is definitely going to be MS14-064, which is under active exploitation in the wild and
may be related, at least superficially, to last month’s Sandworm attack, which also worked through
a security vulnerability in OLE (Object Linking and Embedding)."
The other two critical security updates are MS14-066, a cumulative update for Internet Explorer that
addresses no less than seventeen vulnerabilities, and MS14-069, a permanent fix of sorts for a Remote
Code Execution (RCE) security vulnerability in Microsoft Word 2007.
The IE update includes a fix for a rare unicorn-like bug in Internet Explorer-dependent code
that opens avenues for man-in-the-middle attacks, as previously reported.
Get the most dependable SMTP server for your company. You will congratulate yourself!
Share on Twitter.