SChannel and MS14-066, another Red Alert?

Blog Post created by josh Employee on Nov 12, 2014

This has been a busy Patch Tuesday for Microsoft. Of the fourteen bulletins, four of which were deemed critical, MS14-066 has been getting significant attention. This vulnerability, CVE-2014-6321, affects Windows Secure Channel (SChannel) and was discovered privately by Microsoft through an internal code review.  SChannel is used by anything leveraging built-in SSL and TLS this includes IIS, Active Directory, OWA, Exchange, Internet Explorer, and Windows Update.

Details surrounding the vulnerability are vague, but Microsoft has indicated that there are no known exploits in the wild and the development of exploit code will be challenging. This vulnerability is reported to affect all Windows servers and clients, and while it’s unlikely to be exploited today, it should be patched as soon as possible given the possibility of remote code execution.

Is this Heartbleed 2.0?

We have seen this vulnerability being compared to Heartbleed and want to dispel some of the myths floating around. This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities.

Heartbleed, Bashbug, and Sandworm are all security risks that were being actively exploited in the wild upon their publication, and exploitation was relatively trivial.  Additionally, sufficient remediation via patching was not readily available at the same time when some of these risks were publicly disclosed. As mentioned above, MS14-066 was discovered internally at Microsoft, they have indicated that exploit code will be challenging to develop and a patch was made available at the same time the vulnerability was reported by Microsoft.

Organizations vulnerable to the more recent critical vulnerabilities were faced with imminent threat of exploitation. That is not (yet) the case with the SChannel vulnerability. Microsoft customers can take a deep breath before they dive head first into patching, but should make sure patching is treated at the highest priority given the potential risk if/when an exploit is successfully developed.

What is vulnerable?

Microsoft reports that the SChannel security package is vulnerable on both Windows servers and clients. SChannel is a Security Support Provider (SSP) that implements SSL and TLS authentication protocols. This package is used to allow for secure communications among many common applications including Active Directory, IIS, OWA, Exchange, Internet Explorer, Windows Update, and any other application using integrated SSL/TLS. 

Reportedly, specially crafted packets being processed by SChannel could cause the operating system to execute unintended code.

Bottom Line

MS14-066 should be patched across all clients and servers as soon as possible, while having unpatched assets over the next day or so is unlikely to result in immediate compromise due to the reported complexity of the exploit, it is not worth the risk.