Microsoft fixes critical crypto flaw, strenghtens encryption for older systems

A vulnerability in the Microsoft SChannel component could expose servers to remote code execution attacks

Microsoft fixed a critical vulnerability Tuesday in the Windows cryptographic library that could expose Windows servers to remote code execution attacks. The update also adds support for stronger and more modern cryptographic ciphers to older Windows versions.

"The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server," Microsoft's said in a security bulletin called MS14-066. However, the flaw is in the Microsoft Secure Channel (SChannel) component that exists in all Windows versions and implements the SSL and TLS cryptographic protocols.

The Microsoft security bulletin makes it clear that an attacker could exploit the vulnerability to execute arbitrary code on a Windows system running as a server. However, it's not as clear whether a malicious HTTPS website could exploit the vulnerability to execute code on a Windows computer when a user visits the site in Internet Explorer, which relies on SChannel for SSL/TLS connections.

A separate Microsoft blog post about assessing the risk for the November security updates suggests that this might be possible. It contains a table that lists the most likely attack vector for MS14-066 as "user browses to a malicious webpage."

Microsoft did not immediately respond to a request for clarifications.

"The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website (which most are these days)," said Jared DeMott, a security researcher at Bromium, via email. "And it would be straightforward for an attacker with details of this vulnerability, to host a malicious site that offers 'security' via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we'll have to wait to hear about how bad it is."

This critical SChannel flaw comes after serious vulnerabilities were found this year in other widely used SSL/TLS libraries, including OpenSSL, GnuTLS and the TLS library used by Apple in Mac OS X and iOS.

But the update described in MS14-066 doesn't only address a security vulnerability. It also adds support for stronger encryption ciphers on older Windows versions.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," the security bulletin says. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

In recent years, researchers demonstrated attacks against TLS configurations that use the RC4 stream cipher or block ciphers like AES that operate in cipher-block-chaining (CBC) mode. This leaves ciphers that operate in Galois/Counter Mode (GCM) and that are only available in TLS 1.2 as one of the few fully secure alternatives.

Before this new update, the GCM cipher suites with PFS were previously only available on Windows 8.1 and Windows Server 2012 R2.

"While this enhanced data protection is already included for those running the latest platform, the reality is that many of our customers have not yet upgraded their platforms or are in the process," said Matt Thomlinson, vice president for Microsoft Security, in a blog post. "Through a comprehensive engineering effort and extensive testing, we are now also able to offer best-in-class encryption to our customers running older versions of our platforms."

However, it's not all older versions, but only Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. Although the MS14-066 security patch (KB2992611) is available for Windows Vista and Windows Server 2003 as well, those platforms were not among those enumerated by Thomlinson as also getting the new ciphers.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityencryptionBromiumExploits / vulnerabilities

More about AppleCBCMicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts