Microsoft fixes critical crypto flaw, strenghtens encryption for older systems

A vulnerability in the Microsoft SChannel component could expose servers to remote code execution attacks

Microsoft fixed a critical vulnerability Tuesday in the Windows cryptographic library that could expose Windows servers to remote code execution attacks. The update also adds support for stronger and more modern cryptographic ciphers to older Windows versions.

"The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server," Microsoft's said in a security bulletin called MS14-066. However, the flaw is in the Microsoft Secure Channel (SChannel) component that exists in all Windows versions and implements the SSL and TLS cryptographic protocols.

The Microsoft security bulletin makes it clear that an attacker could exploit the vulnerability to execute arbitrary code on a Windows system running as a server. However, it's not as clear whether a malicious HTTPS website could exploit the vulnerability to execute code on a Windows computer when a user visits the site in Internet Explorer, which relies on SChannel for SSL/TLS connections.

A separate Microsoft blog post about assessing the risk for the November security updates suggests that this might be possible. It contains a table that lists the most likely attack vector for MS14-066 as "user browses to a malicious webpage."

Microsoft did not immediately respond to a request for clarifications.

"The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website (which most are these days)," said Jared DeMott, a security researcher at Bromium, via email. "And it would be straightforward for an attacker with details of this vulnerability, to host a malicious site that offers 'security' via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we'll have to wait to hear about how bad it is."

This critical SChannel flaw comes after serious vulnerabilities were found this year in other widely used SSL/TLS libraries, including OpenSSL, GnuTLS and the TLS library used by Apple in Mac OS X and iOS.

But the update described in MS14-066 doesn't only address a security vulnerability. It also adds support for stronger encryption ciphers on older Windows versions.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," the security bulletin says. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

In recent years, researchers demonstrated attacks against TLS configurations that use the RC4 stream cipher or block ciphers like AES that operate in cipher-block-chaining (CBC) mode. This leaves ciphers that operate in Galois/Counter Mode (GCM) and that are only available in TLS 1.2 as one of the few fully secure alternatives.

Before this new update, the GCM cipher suites with PFS were previously only available on Windows 8.1 and Windows Server 2012 R2.

"While this enhanced data protection is already included for those running the latest platform, the reality is that many of our customers have not yet upgraded their platforms or are in the process," said Matt Thomlinson, vice president for Microsoft Security, in a blog post. "Through a comprehensive engineering effort and extensive testing, we are now also able to offer best-in-class encryption to our customers running older versions of our platforms."

However, it's not all older versions, but only Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. Although the MS14-066 security patch (KB2992611) is available for Windows Vista and Windows Server 2003 as well, those platforms were not among those enumerated by Thomlinson as also getting the new ciphers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftencryptionpatchesExploits / vulnerabilitiesBromium

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?