Catastrophic Windows Bug for All Versions: Update Now

[Sir T]

Didn;t find a mention of this. Update now peeps.

http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/

Potentially catastrophic bug bites all versions of Windows. Patch now
Bug allowing execution of malicious code resides in TLS stack.

by Dan Goodin - Nov 12, 2014 12:45 am UTC


Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

"If they install software that listens on port, then that machine would be vulnerable," he said. An example would be "if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client."

Tuesday's disclosure means that every major TLS stack—including Apple SecureTransport , GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year. In some cases, the flaws merely allowed attackers to bypass encryption protections, while others—most notably the Heartbleed bug in OpenSSL and the one patched Tuesday in Windows, allowed adversaries to steal highly sensitive data and execute malicious code on vulnerable systems respectively.

Microsoft's advisory said there are no mitigating factors and no workarounds for the bug. A separate exploitation index assessed real-world attacks as "likely" for both newer and older Windows releases. The advisory said there is no evidence pointing to in-the-wild exploits against Windows users at the time it was drafted. MS14-066 was one of 16 updates Microsoft scheduled for this month's Patch Tuesday batch. They include a fix for a zero-day vulnerability already under attack in highly targeted espionage attacks.

It took less than 12 hours after the disclosure of the catastrophic Heartbleed bug for it to be turned against Yahoo and other sites. Anyone who uses a Windows computer—especially if it runs a Web or e-mail server—should ensure Tuesday's update is installed immediately.

[ajax34i]

Similar to that Heartbleed virus/issue earlier this year?

[Fordel]

Oh is this why this update was like 20 items long?

[Torinak]

Similar to that Heartbleed virus/issue earlier this year?

Based on the above, it's much much worse. Heartbleed allowed for stealing credentials. This bug allows for fully compromising the system, just by sending it network traffic. So, an attacker can scan the entire Internet and automatically compromise any vulnerable system.

[calapine]

There also has been a fix for another, separate bug which apparently has been around for 18(!) years.

A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1]

Description
This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647.

Impact
Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system.

More detailed:
http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/

Affects all Windows versions back Windows 95. IBM already alerted MS about this already in may, but it's patched only now.

[tinfoil] Convenient for MS that this exploit wasn't found earlier this year. Thus no patch for Windows XP. [/tinfoil]

For Windows XP users not browsing with Internet Explorer should be a first step, because the exploit relies on VBScript, which only IE still bothers to support.  ^{no responsibility is taken for the correctness of this information}

Edit: Oh, I found this tid-bit from the X-Force researcher interesting: "I have no doubt that it would have fetched six figures on the gray market. " What temptation that must be working at such place... 

[Yegolev]

I suppose this is of no concern to people that do not use IE.

[Chimpy]

The security vulnerability is bigger than just a IE/VBS thing. The exploit they talk about of said vulnerability requires VBS.

[Yegolev]

I will then suppose it depends on what is meant by a specially-crafted web page.

[Torinak]

I suppose this is of no concern to people that do not use IE.

Watch out for other programs that may "helpfully" launch IE so you can view exciting news about the MMO you're trying to patch, read documentation, license agreements, program updates, etc.

Also, the requirement that a "user views a specially-crafted web page" usually translates into "user visits a not-bad site that happens to be using a dodgy ad provider that sends you to the specially-crafted web page".

[Yegolev]

Yes, the applications that open IE instead of Default Browser are super annoying.  Especially since DB is Firefox+NoScript+ABE+Ghostery.

[Samwise]

Isn't the Steam overlay browser on Windows IE-based?

[bhodi]

Yes.

[Yegolev]

[KallDrexx]

I thought they replaced it with a webkit based browser to make cross compatibility easier.

[calapine]

I thought they replaced it with a webkit based browser to make cross compatibility easier.

I looked it up, and thank god you are right. WebKit since 2010.