Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.


Every major TLS stack had critical security issues in 2014

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

November 12, 2014

The surfacing of a critical security vulnerability in Microsoft SChannel, patched as part of a bumper November Patch Tuesday yesterday simply means that every major TLS stack has now fallen to a critical security flaw at some time during 2014.

Described as MS14-066, the security hole in Microsoft's TLS cryptography library opens the door to remote code execution on unpatched servers, Microsoft warns.

As such, the security vulnerability is arguably even worse than the infamous Heartbleed vulnerability in OpenSSL, which, although easy to exploit, was only an information disclosure security bug.

The Microsoft SChannel vulnerability (called WinShock by some) carries the potential risk that it might be exploited to push malicious code onto vulnerable systems, something not possible with Heartbleed.

Apple SecureTransport technology needed patching back in April while GnuTLS had not just one, but two very nasty flaws during 2014.

"Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a severe security vulnerability so far this year," said security engineer Tony Arcieri in a note.

As well as patching the critical security flaw in Microsoft SChannel, Microsoft also used the update to add support for four new cipher suites.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," Microsoft explains in its notice. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy by using DHE key exchange together with RSA authentication."

Unusually, Microsoft admits that there are no mitigating factors against the security vulnerability and no workarounds. "An attacker who successfully exploited this vulnerability could run arbitrary code on a target server" using malicious packets, it warned.

Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003 are all vulnerable to this TLS vulnerability.

Additionally, workstations running Vista, Windows 7 and Windows 8 are also on the critical list but perhaps not in quite so much immediate danger.

This is just as bad as it gets and about the only small piece of comfort comes from an absence of reports (for now at least) that the SChannel security flaw is under attack.

Curiously though, there's no real acknowledgement on who reported the security flaw to Microsoft in the first place, leaving wide open the possibilities that it was either discovered internally and privately reported by an entity that didn't want any credit.

Gavin Millard, EMEA technical director for Tenable Network Security, urged immediate patching to defend against WinShock.

“Is 'WinShock' as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code, it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them," Millard said.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of this security vulnerability, it won’t be long until one does which could be disastrous for any system admin that hasn’t updated yet.

"It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data," he added.

Microsoft’s November Patch Tuesday available yesterday with 14 security bulletins, of which four are listed as very critical, collectively covered forty security vulnerabilities.

The critical SChannel security flaw might not even be the most pressing candidate for triage, according to some patching experts. That "honor" goes to a fix for a vulnerability which created a means to booby-trap PDF files that has been a theme of recent hacker action.

Ross Barrett, senior manager of security engineering at Rapid7, advised-- "The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a security vulnerability in OLE (Object Linking and Embedding)."

The other two critical security updates are MS14-066, a cumulative update for Internet Explorer that addresses no less than seventeen vulnerabilities, and MS14-069, a permanent fix of sorts for a Remote Code Execution (RCE) security vulnerability in Microsoft Word 2007.

The IE update includes a fix for a rare unicorn-like bug in Internet Explorer-dependent code that opens avenues for man-in-the-middle attacks, as previously reported.

Source: Microsoft.

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.