Security Expert: One Week Or Less To Patch For Dangerous Microsoft Crypto Flaw
One of four critical security bulletins released by Microsoft this week has gained the attention of security industry experts, who warn managed service providers and IT administrators that attacks that aim at a weakness plaguing the core Windows SSL crypto implementation are imminent.
The Secure Channel (Schannel) security component in Windows implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols designed to secure sensitive Web browsing sessions and communication between other network applications. It is vulnerable to a bug that can enable an attacker to exploit it remotely and eavesdrop on the sensitive traffic or run malicious code on a server and gain access to other systems, Microsoft said.
Solution providers are comparing the vulnerable Windows Schannel implementation to the OpenSSL Heartbleed vulnerability, which roiled the SSL/TLS implementations in Unix and Linux systems earlier this year. Heartbleed forced a variety of security and networking gear makers to rush out patches to fix the broken OpenSSL implementation built into their products.
The SChannel vulnerability impacts all currently supported versions of Windows and Windows Server software, Microsoft said.
[Related: Heartbleed Attacks Still Actively Targeting Vulnerable Servers, Says IBM]
"Server and workstation systems that are running an affected version of Schannel are primarily at risk," the Redmond, Wash.-based software maker said in an advisory issued Tuesday. "Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets."
There are no known workarounds to block attackers from targeting the vulnerability. Microsoft gave the vulnerability an exploitability rating of 1, which indicates that an exploit would be fairly easy to create. While speed is essential, organizations need to still be systematic about deploying updates, sticking to security best practices and organizational procedures, said Johannes Ullrich, dean of research at the SANS Institute and head of the SANS Internet Storm Center.
"My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released," Ullrich wrote in the Internet Storm Center blog. "As soon as a patch was released, it can be used to learn more about the vulnerability. It is very hard these days to obfuscate a patch sufficiently to hide the nature of a vulnerability."
Solution providers said the vulnerability is so widespread that it will impact organizations on older, unsupported versions of Windows. "Enterprises who still have Windows 2000 and Windows XP machines will find themselves in the uncomfortable situation of having an exploitable-but-unpatchable system on their network," said Joe Barrett, a senior security consultant at Foreground Security, a Lake Mary, Fla.-based security services provider. "Security researchers and black hats alike are most likely racing to get the first workable exploit against this vulnerability, and the bad guys will begin immediately using it to compromise as much as they can."
Security researchers have set their sights on identifying authentication protocol errors. Last month two Google researchers identified a vulnerability that weakened SSL 3.0, described as Padding Oracle On Downgrade Legacy Encryption, or POODLE. The threat caused browser makers to eliminate support for the outdated SSL/TLS protocol.
Microsoft issued 14 security bulletins, four rated critical, as part of its November 2014 Patch Tuesday. The three other critical bulletins repaired two zero-day vulnerabilities to Windows object linking and embedding (OLE) in Windows. The flaws were being actively exploited in a targeted attack campaign associated with the Sandworm gang. The attacks impacted people in the U.S., Poland, Ukraine and western Europe. A critical update also addressed 17 vulnerabilities in Internet Explorer.
PUBLISHED NOV. 13, 2014