Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.
Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.
According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.
The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.
Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.
Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.
The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.
The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.
“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.
In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.
“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.
“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.
He added: “Perimeter systems are often mission critical and need the fastest attention. Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”
Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to SCMagazineUK.com that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.
“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.
“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”
Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).
“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”
Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismic, suggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.
And citing the US National Vulnerability Database where CVEs are scored independently by CERT, he told SCMagazineUK.com: “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”
He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.
Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.