Microsoft has issued emergency patches for a flaw that affects all supported versions of Windows. It’s a nasty one – a vulnerability in Windows’ implementation of the protocols for encrypting internet communications.
The critical flaw lies in Secure Channel (Schannel), a security package – used by Internet Explorer — that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. While there’s no evidence of its exploitation yet, it allows attackers to remotely execute code on the target’s machine and take it over, so it is imperative that all Windows users run an update immediately.
The CVE-2014-6332 vulnerability, dubbed “WinShock” by someone because scary things need catchy names, was found by [company]IBM[/company]’s X-Force Research team and reported to [company]Microsoft[/company] in May. In a Tuesday blog post, X-Force manager Robert Freeman noted that it had been present in Microsoft’s operating system since Windows 95, if not earlier.
Freeman wrote that the bug has been remotely exploitable for 18 years, adding that the length of time it went undetected means there may be more bugs in Windows that relate to arbitrary data manipulation.
“In fact, there may be multiple exploitation techniques that lead to possible remote code execution, as is the case with this particular bug,” he wrote. “Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as keylogging, screen-grabbing and remote access.”
Unfortunately, this bug continues a worrying trend when it comes to vulnerabilities in big SSL/TLS implementations. [company]Apple[/company]’s SecureTransport, OpenSSL, GnuTLS (used in GNOME and elsewhere) and Mozilla’s NSS have all been shown to contain serious flaws in recent months. It’s probably coincidental — code is buggy, news at 10 — but with the Snowden revelations having demonstrated that the NSA has “some capabilities” against SSL/TLS and other widely used security mechanisms, it’s no surprise that some see a more conspiratorial hand at work.
One broken SSL is a mistake.
Two is an accident.
Three is sabotage.
Apple, OpenSSL + Microsoft = NSA Full House ?https://t.co/EPi8xDtUxe
— Poul-Henning Kamp (@bsdphk) November 12, 2014
This article was updated at 9.40am PT to note that people are referring to the bug as WinShock, because of course they are.