Microsoft Publishes Critical Vulnerability MS14-066 in Windows SSL Library

15 November 2014

On November 11, 2014 Microsoft published in Security Bullentin MS14-066 a vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability is rated Critial, the CVSS base score is 10 (high).

The good news is: This vulnerability was discovered by Microsoft itself during a proactive security assessment.

The bad news is: Since nearly all Microsoft products that uses SSL will use the Schannel package, the impact of this vulnerability might be greater than that of the Heartbleed SSL bug.

Although Microsoft published a patch last Tuesday, the November patch day, it will take a long time to patch possibly thousands of systems in a company. But the guys on the dark side will not sleep. It is very likely that exploits will be available on the black market within the next days.

Thus the patching must be strategically addressed. Hopefully you have an up-to-date inventory of your systems. I would start with systems that are exposed to the internet, e.g. external mail servers or web servers. In parallel I would patch all laptops and pad computers that leave the network. Although it’s not very likely that they listen for inbound SSL connections you should check and patch them. In the next step I would patch all internal servers and the remaining internal clients.

Bon week end!

Rion-Antirion Bridge, 38°19'11.0"N 21°46'25.2"E

Rion-Antirion Bridge, 38°19’11.0″N 21°46’25.2″E

Advertisements

One thought on “Microsoft Publishes Critical Vulnerability MS14-066 in Windows SSL Library

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s