Original release date: November 14, 2014
Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows RTMicrosoft Windows RT 8.1Microsoft Windows XP and 2000 may also be affected.
A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.
Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks. An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.
This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.
Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.
 NIST Vulnerability Summary for CVE-2014-6321
 Microsoft Security Bulletin MS14-066 – Critical
 Microsoft, Secure Channel
 Reddit, Microsoft Security Bulletin MS14-066
 Pastebin, SChannelShenanigans
November 14, 2014: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.