Critical Vulnerability in Microsoft SChannel

    Windows users, I think, were somewhat upset that OpenSSL Heartbleed had almost no effect on them. Now they can have fun, because they have a similar vulnerability!

    Yesterday, Microsoft published Security Bulletin MS14-066 , which describes a critical bug in SChannel, Microsoft's SSL / TLS implementation that allows an attacker to remotely execute arbitrary code. Updates covering the vulnerability are already available through Windows Update.

    All versions of Windows are supported, starting from 2003, including Windows RT. This suggests that the vulnerability exists not only on the server side, but also on the client side.
    Affected Windows Versions:
    • Windows Server 2003 Service Pack 2
    • Windows Vista Service Pack 2
    • Windows Server 2008 Service Pack 2
    • Windows 7 Service Pack 1
    • Windows Server 2008 R2
    • Windows 8
    • Windows 8.1
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows RT
    • Windows RT 8.1

    Based on the information from the technet blog , the vulnerability was found inside Microsoft during product security testing, so it can be assumed that the vulnerability has not been exploited before. The Cisco blog tells us that this CVE covers several bugs at once: from buffer overflows to bypass certificate validation.

    Among other things, the update adds new encryption methods (ciphersuites) using AES-GCM.
    You should upgrade as soon as possible.

    Also popular now: