Critical patch - Huge Windows vulnerability that affects all versions - Microsoft Windows OS forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Critical patch - Huge Windows vulnerability that affects all versions

Vulnerability in Schannel Could Allow Remote Code Execution

bill

6:32 am on Nov 12, 2014 (gmt 0)

http://thenextweb.com/microsoft/2014/11/11/microsoft-posts-critical-patch-huge-server-vulnerability/ [thenextweb.com]

Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines

The bad news? It affects everything running a modern version of Windows, meaning businesses will need to patch a lot of machines as soon as possible. Microsoft also says that there is no workaround or ways to mitigate the attack, other than via a patch.

The good news is that Microsoft says there is no evidence this bug has been exploited in the wild and there’s a patch out right now on Windows Update.

graeme_p

8:18 am on Nov 12, 2014 (gmt 0)

Its worse than heartbleed - affects all versions, and allows running arbitrary code, not an information leak.

Are there any SSL implementations left in which a vulnerability has not been found? It looks to me as though, since Apple's was discovered, everyone has started auditing their code (which should have been done all along) and finding the vulnerabilities.

mcneely

7:18 am on Nov 13, 2014 (gmt 0)

Thank Gawd I've only one Windows box left .. everything else is Linux, and I did all of my scrambling around months ago.

ergophobe

4:43 pm on Nov 13, 2014 (gmt 0)

This pushed out to my machines yesterday before I noticed this post... phew!

But reading the article, it appears that it only affects machines running a Windows servers... so for the average end user there's not much of a risk

bill

5:08 am on Nov 14, 2014 (gmt 0)

But reading the article, it appears that it only affects machines running a Windows servers... so for the average end user there's not much of a risk

Unfortunatley, no. This affects affects Windows Server 2003, 2008, 2012, Vista, 7, 8, 8.1 and Windows RT.

I'm not clear on the exact threat, but a security podcast I listen to said that if you connect to a compromised server with an unpatched Windows desktop/workstation then you'd be in trouble too. Windows XP and Windows 2000 users are out of luck in terms of a patch.

The advice is to patch every Windows machine you can ASAP. Microsoft gave the vulnerability an exploitability rating of 1, which indicates that an exploit would be fairly easy to create. Within a week there will likely be exploits out there.

tangor

11:05 am on Nov 14, 2014 (gmt 0)

Patch came through, as advertised, but at a time I was critical in project... so had to keep telling it "NO" to reboot now until I could close the project. All went fine, just a note that things happen when you least wish them. :)

ergophobe

11:35 pm on Nov 14, 2014 (gmt 0)

Bill, are you sure? The article says

Microsoft gives few details about the exploit, other than saying that the bug would “allow remote code execution if an attacker sends specially crafted packets to a Windows server.” ... The attack appears to only affect those running a server on affected platforms.

ergophobe

11:38 pm on Nov 14, 2014 (gmt 0)

And from the MS page

How could an attacker exploit the vulnerability?

An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server.

What systems are primarily at risk from the vulnerability?

Server and workstation systems that are running an affected version of Schannel are primarily at risk.

graeme_p

5:56 pm on Nov 15, 2014 (gmt 0)

Form what I read it needs some sort of server running on it - i.e. accepting incoming SSL connections.

So the vulnerability exists in all versions of Window,s but is more likely to be exploitable on a server.