Patch Tuesday: WinShock Vulnerability

Today, as part of Microsoft’s Patch Tuesday, a vulnerability was announced that could allow remote code execution on a large number of Windows platforms, including Windows server platforms.

Currently known as ‘WinShock,’ this security flaw (MS14-066) is a vulnerability in the Microsoft Secure Channel (Schannel) security package. Administrators are being urged to patch immediately even though there are no known exploits, as the bug is critical and affects a large number of Windows platforms.

In addition to patching the vulnerability, Microsoft included support for four new cipher suites in the patch:

“This update includes new TLS cipher suites that offer more robust encryption to protect customer information… These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication.”

What Is Schannel and What Does the Bug Do?

Secure Channel, usually called Schannel, is a security support provider (SSP). Schannel provides SSL and TLS encryption and authentication for web browsers that don’t have their own libraries, including Internet Explorer. Schannel is used in HTTPS for secure web browsing as well as many other protocols like secure email, inter-server communication, remote desktop connections, etc.

If an attacker was able to successfully exploit the vulnerability, the attacker could execute code on the server remotely, allowing them to gain privileged access to the network. This could lead to future exploitation like infecting the system will malware or exporting sensitive data.

What’s the Impact?

A lot of people are asking “is WinShock as bad as ShellShock and Heartbleed?” Currently it’s hard to say because of the lack of details and that there are no proof of concepts or known exploits. This is likely due to the fact that it was either discovered internally or privately, and Microsoft has given very little information about the vulnerability other than that it exists.

However, it won’t be long before someone figures out how to exploit it. The bug will inevitably be found by other researchers and the details will be publicized.

The vulnerability itself is critical because a successful exploitation could allow an attacker to run arbitrary code on a target server, it affects almost all versions of Windows, and is in a common component (Schannel). Because of this, administrators should update all versions of Windows to avoid becoming a target when an exploit is discovered.

What Should I Do?

Administrators should patch all systems before an exploit is discovered. For a full list of affected platforms and for patches, see Microsoft’s advisory here.