Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Critical crypto nought-day not the worst of mega Nov patch batch

The appearance of a critical flaw in Microsoft SChannel - patched as part of this year's phenomenal November Patch Tuesday - means that every major TLS stack has now fallen victim to a critical flaw at some time during this year.

The security flaw (MS14-066) in Microsoft's TLS cryptography library open the door to remote code execution on unpatched servers, Redmond warns. As such the vulnerability is arguably even worse than the infamous Heartbleed vulnerability in OpenSSL, which, although easy to exploit, was only ever an information disclosure flaw.

The Microsoft SChannel vuln - dubbed WinShock by some - carries the risk that it might be exploited to push malicious code onto vulnerable systems, something not possible with Heartbleed.

Apple SecureTransport technology needed patching back in April while GnuTLS had not just one, but two very nasty flaws (details here and here) during 2014 in what can safely be described as an annus horribilis for web crypto.

"Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a severe vulnerability this year," security engineer Tony Arcieri noted in a Twitter update.

As well as patching the critical flaw in Microsoft SChannel, Redmond also used the update to add support for four new cipher suites. "This update includes new TLS cipher suites that offer more robust encryption to protect customer information," Microsoft explains in its notice. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

Unusually Microsoft admits there are no mitigating factors against the vulnerability and no workarounds. "An attacker who successfully exploited this vulnerability could run arbitrary code on a target server" using malicious packets, it warned.

Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003 are all vulnerable. Workstations running Vista, Windows 7 and Windows 8 are also on the critical list but perhaps not in quite so much immediate danger.

This is just about as bad as it gets and the only crumb of comfort comes from an absence of reports - for now at least - that the SChannel flaw is under attack. Curiously there's no acknowledgement on who reported the flaw to Microsoft, leaving open the possibilities that it was either discovered internally and privately reported by an entity that didn't want credit.


Gavin Millard, EMEA technical director for Tenable Network Security, urged immediate patching to defend against WinShock.

“Is 'WinShock' as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code, it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them," Millard said.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.

"It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data," he added.

Get your patches here

Microsoft’s November Patch Tuesday touched down yesterday with 14 advisories, of which four are listed as critical, collectively covering 40 security vulnerabilities. The critical SChannel bug might not even be the most pressing candidate for triage, according to some patching experts. That "honour" goes to a fix for a vulnerability which created a means to booby-trap PDF files that has been a theme of recent hacker action.

Ross Barrett, senior manager of security engineering at Rapid7, advised: "The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE [Object Linking and Embedding]."

The other two critical updates are (MS14-066), a cumulative update for Internet Explorer that addresses 17 vulnerabilities, and (MS14-069), a fix for a Remote Code Execution (RCE) vulnerability in Microsoft Word 2007. The IE update includes a fix for a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man-in-the-middle attacks, as previously reported.

Blimey. After all this sysadmins would be excused for feeling a bit like Brazilian defenders in a World Cup semi-final against Germany.

El Reg's security desk can't offer much comfort beyond pointing readers towards our initial November Patch Tuesday "teamsheet" story. ®

Other stories you might like

  • ESA boss gives update on stricken Sentinel-1B imaging satellite: All is not lost yet

    Still borked, 1C and 1D are waiting in the wings

    ESA Director General Josef Aschbacher has addressed the issue of the space agency's borked Copernicus Sentinel-1B spacecraft in his first annual press conference.

    The last useful bit of data from the Earth observation satellite came last year, and as of yesterday attempts to revive the equipment to normal working order have come to naught.

    It's an interesting anomaly: the spacecraft remains under control and, according to Aschbacher, "the thermal control system is properly working and the regular orbit control manoeuvres are routinely performed." However, attempts to reactivate the power unit that's holding back the transmission of image data have proven unsuccessful.

    Continue reading
  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading

Biting the hand that feeds IT © 1998–2022