The appearance of a critical flaw in Microsoft SChannel - patched as part of this year's phenomenal November Patch Tuesday - means that every major TLS stack has now fallen victim to a critical flaw at some time during this year.
The security flaw (MS14-066) in Microsoft's TLS cryptography library open the door to remote code execution on unpatched servers, Redmond warns. As such the vulnerability is arguably even worse than the infamous Heartbleed vulnerability in OpenSSL, which, although easy to exploit, was only ever an information disclosure flaw.
The Microsoft SChannel vuln - dubbed WinShock by some - carries the risk that it might be exploited to push malicious code onto vulnerable systems, something not possible with Heartbleed.
Apple SecureTransport technology needed patching back in April while GnuTLS had not just one, but two very nasty flaws (details here and here) during 2014 in what can safely be described as an annus horribilis for web crypto.
"Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a severe vulnerability this year," security engineer Tony Arcieri noted in a Twitter update.
As well as patching the critical flaw in Microsoft SChannel, Redmond also used the update to add support for four new cipher suites. "This update includes new TLS cipher suites that offer more robust encryption to protect customer information," Microsoft explains in its notice. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."
Unusually Microsoft admits there are no mitigating factors against the vulnerability and no workarounds. "An attacker who successfully exploited this vulnerability could run arbitrary code on a target server" using malicious packets, it warned.
Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003 are all vulnerable. Workstations running Vista, Windows 7 and Windows 8 are also on the critical list but perhaps not in quite so much immediate danger.
This is just about as bad as it gets and the only crumb of comfort comes from an absence of reports - for now at least - that the SChannel flaw is under attack. Curiously there's no acknowledgement on who reported the flaw to Microsoft, leaving open the possibilities that it was either discovered internally and privately reported by an entity that didn't want credit.
Gavin Millard, EMEA technical director for Tenable Network Security, urged immediate patching to defend against WinShock.
“Is 'WinShock' as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code, it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them," Millard said.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.
"It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data," he added.
Get your patches here
Microsoft’s November Patch Tuesday touched down yesterday with 14 advisories, of which four are listed as critical, collectively covering 40 security vulnerabilities. The critical SChannel bug might not even be the most pressing candidate for triage, according to some patching experts. That "honour" goes to a fix for a vulnerability which created a means to booby-trap PDF files that has been a theme of recent hacker action.
Ross Barrett, senior manager of security engineering at Rapid7, advised: "The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE [Object Linking and Embedding]."
The other two critical updates are (MS14-066), a cumulative update for Internet Explorer that addresses 17 vulnerabilities, and (MS14-069), a fix for a Remote Code Execution (RCE) vulnerability in Microsoft Word 2007. The IE update includes a fix for a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man-in-the-middle attacks, as previously reported.
Blimey. After all this sysadmins would be excused for feeling a bit like Brazilian defenders in a World Cup semi-final against Germany.
El Reg's security desk can't offer much comfort beyond pointing readers towards our initial November Patch Tuesday "teamsheet" story. ®