Menu
Microsoft fixes critical crypto flaw, strenghtens encryption for older systems

Microsoft fixes critical crypto flaw, strenghtens encryption for older systems

A vulnerability in the Microsoft SChannel component could expose servers to remote code execution attacks

Microsoft fixed a critical vulnerability Tuesday in the Windows cryptographic library that could expose Windows servers to remote code execution attacks. The update also adds support for stronger and more modern cryptographic ciphers to older Windows versions.

"The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server," Microsoft's said in a security bulletin called MS14-066. However, the flaw is in the Microsoft Secure Channel (SChannel) component that exists in all Windows versions and implements the SSL and TLS cryptographic protocols.

The Microsoft security bulletin makes it clear that an attacker could exploit the vulnerability to execute arbitrary code on a Windows system running as a server. However, it's not as clear whether a malicious HTTPS website could exploit the vulnerability to execute code on a Windows computer when a user visits the site in Internet Explorer, which relies on SChannel for SSL/TLS connections.

A separate Microsoft blog post about assessing the risk for the November security updates suggests that this might be possible. It contains a table that lists the most likely attack vector for MS14-066 as "user browses to a malicious webpage."

Microsoft did not immediately respond to a request for clarifications.

"The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website (which most are these days)," said Jared DeMott, a security researcher at Bromium, via email. "And it would be straightforward for an attacker with details of this vulnerability, to host a malicious site that offers 'security' via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we'll have to wait to hear about how bad it is."

This critical SChannel flaw comes after serious vulnerabilities were found this year in other widely used SSL/TLS libraries, including OpenSSL, GnuTLS and the TLS library used by Apple in Mac OS X and iOS.

But the update described in MS14-066 doesn't only address a security vulnerability. It also adds support for stronger encryption ciphers on older Windows versions.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," the security bulletin says. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

In recent years, researchers demonstrated attacks against TLS configurations that use the RC4 stream cipher or block ciphers like AES that operate in cipher-block-chaining (CBC) mode. This leaves ciphers that operate in Galois/Counter Mode (GCM) and that are only available in TLS 1.2 as one of the few fully secure alternatives.

Before this new update, the GCM cipher suites with PFS were previously only available on Windows 8.1 and Windows Server 2012 R2.

"While this enhanced data protection is already included for those running the latest platform, the reality is that many of our customers have not yet upgraded their platforms or are in the process," said Matt Thomlinson, vice president for Microsoft Security, in a blog post. "Through a comprehensive engineering effort and extensive testing, we are now also able to offer best-in-class encryption to our customers running older versions of our platforms."

However, it's not all older versions, but only Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. Although the MS14-066 security patch (KB2992611) is available for Windows Vista and Windows Server 2003 as well, those platforms were not among those enumerated by Thomlinson as also getting the new ciphers.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftencryptionpatchesExploits / vulnerabilitiesBromium

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments