MS14-066 – A critical bug potentially affects all Windows versions. Patch it!

MS14-066 – A critical vulnerability affects all versions of Microsoft Windows systems, its exploitation could have catastrophic consequences.

Microsoft has revealed the existence of a critical vulnerability in all versions of Windows operating systems, the flaw is particularly dangerous for users that servers that expose website. Microsoft issued a security advisory (Microsoft Security Bulletin MS14-066) on the vulnerability that could be exploited remotely to execute arbitrary code.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) standard authentication protocols.

“Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server. For more information, see Secure Channel.”

In the MS14-066 bulletin Microsoft explained that a failure to properly filter specially formed packets allow bad actors to run an attack by sending specially crafted packets to a Windows-based server.

“The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. This security update is rated Critical for all supported releases of Microsoft Windows.” states the MS14-066 security advisory.

Microsoft warns that the flaw affects Windows servers, but it is rated critical for both client and server versions of Windows. Experts speculate that the remote-code vulnerability may impact every Windows-based system that run software that listen Internet ports and accepts encrypted connections from outside, for example a server that exposes an FTP service accepting connections from the Internet.

The overall impact of the vulnerability could be dramatic, this is the last case in order of time for major flaws that are threatening the security of the Internet users like the Heartbleed bug in OpenSSL library.

I invite you to read the FAQ session of the MS14-066 Microsoft security advisory, the company explains that there are no mitigating factors and no workarounds for the vulnerability.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code on a target server.

How could an attacker exploit the vulnerability? 
An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server.

What systems are primarily at risk from the vulnerability? 
Server and workstation systems that are running an affected version of Schannel are primarily at risk.

Microsoft also evaluated the Exploitability of the flaw as “likely” for every Windows version, as reported in exploitation index. In time I’m writing there is no evidence of attacks in-the-wild that are exploiting the bug against Windows servers. Of course, the MS14-066 is part of this month’s Patch Tuesday batch, which included also a fix for a zero-day vulnerability exploited in cyber espionage campaigns against high-profile targets worldwide.

If you use a Windows system, don’t wast time update is immediately.

Pierluigi Paganini

(Security Affairs –  MS14-066, Windows)