Microsoft fixes critical crypto flaw, strenghtens encryption for older systems

A vulnerability in the Microsoft SChannel component could expose servers to remote code execution attacks

Microsoft fixed a critical vulnerability Tuesday in the Windows cryptographic library that could expose Windows servers to remote code execution attacks. The update also adds support for stronger and more modern cryptographic ciphers to older Windows versions.

"The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server," Microsoft's said in a security bulletin called MS14-066. However, the flaw is in the Microsoft Secure Channel (SChannel) component that exists in all Windows versions and implements the SSL and TLS cryptographic protocols.

The Microsoft security bulletin makes it clear that an attacker could exploit the vulnerability to execute arbitrary code on a Windows system running as a server. However, it's not as clear whether a malicious HTTPS website could exploit the vulnerability to execute code on a Windows computer when a user visits the site in Internet Explorer, which relies on SChannel for SSL/TLS connections.

A separate Microsoft blog post about assessing the risk for the November security updates suggests that this might be possible. It contains a table that lists the most likely attack vector for MS14-066 as "user browses to a malicious webpage."

Microsoft did not immediately respond to a request for clarifications.

"The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website (which most are these days)," said Jared DeMott, a security researcher at Bromium, via email. "And it would be straightforward for an attacker with details of this vulnerability, to host a malicious site that offers 'security' via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we'll have to wait to hear about how bad it is."

This critical SChannel flaw comes after serious vulnerabilities were found this year in other widely used SSL/TLS libraries, including OpenSSL, GnuTLS and the TLS library used by Apple in Mac OS X and iOS.

But the update described in MS14-066 doesn't only address a security vulnerability. It also adds support for stronger encryption ciphers on older Windows versions.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," the security bulletin says. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

In recent years, researchers demonstrated attacks against TLS configurations that use the RC4 stream cipher or block ciphers like AES that operate in cipher-block-chaining (CBC) mode. This leaves ciphers that operate in Galois/Counter Mode (GCM) and that are only available in TLS 1.2 as one of the few fully secure alternatives.

Before this new update, the GCM cipher suites with PFS were previously only available on Windows 8.1 and Windows Server 2012 R2.

"While this enhanced data protection is already included for those running the latest platform, the reality is that many of our customers have not yet upgraded their platforms or are in the process," said Matt Thomlinson, vice president for Microsoft Security, in a blog post. "Through a comprehensive engineering effort and extensive testing, we are now also able to offer best-in-class encryption to our customers running older versions of our platforms."

However, it's not all older versions, but only Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. Although the MS14-066 security patch (KB2992611) is available for Windows Vista and Windows Server 2003 as well, those platforms were not among those enumerated by Thomlinson as also getting the new ciphers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftpatchesExploits / vulnerabilitiesBromium

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Imou: At home with security

Modern living is all about functionality and security for everybody from the very young to the very old. With Imou anybody can enjoy smart life – the solution is at their fingertips.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?