Security researchers say the newly-disclosed critical SSL weakness in Microsoft’s Windows operating system could be worse than Heartbleed and Shellshock.
Microsoft’s newly released security update for MS14-066 addresses the vulnerability – and this should be a top priority for system administrators, according to some security experts.
IBM researchers discovered the flaw and worked with Microsoft to fix it before going public. The researchers said the vulnerability had existed in Microsoft Windows operating systems (OS) for the past 19 years.
The flaw in Microsoft’s Secure Channel (SChannel) implementation could allow a remote, unauthenticated attacker to execute arbitrary code.
Attackers could exploit it to take over a victim’s machine, said Robert Freeman, security researcher at IBM.
Attackers could even sidestep the Enhanced Protected Mode (EPM) sandbox in Internet Explorer (IE) 11 and Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), Freeman wrote in a blog post.
The SChannel security component implements the secure sockets layer (SSL) and transport layer security (TLS) protocols.
SChannel bug affects many systems
“Attackers could execute arbitrary code on a long list of Microsoft products, including desktop systems with RDP enabled and any web applications using IIS for HTTPS,” said Craig Young, security researcher at Tripwire.
“Reliable exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems.”
Ross Barrett, senior manager of security engineering at Rapid7, described the vulnerability as a risky issue.
“What makes this particularly risky is that there is a very good chance the service could be exposed or accessed via the perimeter,” Barrett said.
The Microsoft advisory refers to vulnerabilities targeting Windows servers. Some analysts said the vulnerability is rated critical for client and server versions of Windows alike, suggesting the flaw may also affect Windows desktop users.
Amichai Schulman, chief technology officer at Imperva, said the advisory from Microsoft does not state that hosts running web servers are more vulnerable than others.
“It seems that, while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched,” said Schulman.
“If this vulnerability is indeed exploitable via SSL/TLS, it is more severe in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server while Heartbleed attempted, opportunistically, to collect sensitive information.”
Administrators’ patching priorities
According to Young, Heartbleed was less powerful because it was just an information disclosure bug. Shellshock was remotely exploitable only in a subset of affected systems.
He said some administrators may want to prioritise this over the IE patch – even though there had been attacks against the browser – because MS14-066 could be exploited without user interaction.
“Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give administrators enough time to patch their systems before we see exploits,” said Young.
TK Keanini, chief technology officer at Lancope, said system administrators should already have a process to review and patch after each Microsoft update.
“Those who have good habits remain secure, but those who have bad habits need reminders – or will ultimately get compromised before they get around to updating,” he said.
Keanini said the SChannel bug affects the listening side of the connection – traditionally the server – but added that it is difficult to make this differentiation nowadays, with software installing on traditional desktop operating systems as servers.
“Online games are particularly notorious in installing listening ports for incoming connections, so it is best that everyone just applies the patch, regardless of the client or server designation,” he said.
SChannel bug worse than OpenSSL Heartbleed
Keanini expects attackers to add the exploitation of the SChannel bug to their toolkit as they explore networks for ways to get access.
“System administrators have two tasks: First, to patch and narrow the aperture of the target surface; and second – more importantly – to have the telemetry in place so that, if someone is performing this recognisance on a network, they can be spotted and blocked before exploitations or exfiltration,” he said.
Microsoft’s disclosure about the SChannel vulnerability means that a severe vulnerability has been reported in just about every major TLS stack this year.
Until now, the most severe has been the Heartbleed bug in OpenSSL, but it has now been joined – and possibly surpassed – by the SChannel vulnerability.
Microsoft’s advisory said there are no mitigating factors and no workarounds for the bug. The separate exploitation index, said real-world attacks are likely.
The advisory said there was no evidence of in-the-wild exploits against Windows users at the time of publication, but attacks exploiting the Heartbleed flaw were reported soon after the vulnerability was publicly disclosed.
Security experts said any Windows-based computers, especially if they run a web or e-mail server, should install the appropriate software update as soon as possible.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK