Microsoft’s newly released security update for MS14-066 addresses the vulnerability – and this should be a top priority for system administrators, according to some security experts.
The flaw in Microsoft’s Secure Channel (SChannel) implementation could allow a remote, unauthenticated attacker to execute arbitrary code.
SChannel bug affects many systems
“Attackers could execute arbitrary code on a long list of Microsoft products, including desktop systems with RDP enabled and any web applications using IIS for HTTPS,” said Craig Young, security researcher at Tripwire.
“Reliable exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems.”
Ross Barrett, senior manager of security engineering at Rapid7, described the vulnerability as a risky issue.
“What makes this particularly risky is that there is a very good chance the service could be exposed or accessed via the perimeter,” Barrett said.
READ MORE ABOUT HEARTBLEED AND SHELLSHOCK
- Shellshock is bigger than Heartbleed, say experts
- puts enterprises in more peril than Heartbleed
- Heartbleed patch efforts ignored on thousands of websites
- Datacentre lessons learnt from Heartbleed bug
- Heartbleed leads to discovery of more OpenSSL flaws
- Open-source security model undermined by lack of resources
Administrators' patching priorities
According to Young, Heartbleed was less powerful because it was just an information disclosure bug. Shellshock was remotely exploitable only in a subset of affected systems.
He said some administrators may want to prioritise this over the IE patch – even though there had been attacks against the browser – because MS14-066 could be exploited without user interaction.
“Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give administrators enough time to patch their systems before we see exploits,” said Young.
TK Keanini, chief technology officer at Lancope, said system administrators should already have a process to review and patch after each Microsoft update.
“Those who have good habits remain secure, but those who have bad habits need reminders – or will ultimately get compromised before they get around to updating,” he said.
Keanini said the SChannel bug affects the listening side of the connection – traditionally the server – but added that it is difficult to make this differentiation nowadays, with software installing on traditional desktop operating systems as servers.
“Online games are particularly notorious in installing listening ports for incoming connections, so it is best that everyone just applies the patch, regardless of the client or server designation,” he said.
SChannel bug worse than OpenSSL Heartbleed
Keanini expects attackers to add the exploitation of the SChannel bug to their toolkit as they explore networks for ways to get access.
“System administrators have two tasks: First, to patch and narrow the aperture of the target surface; and second – more importantly – to have the telemetry in place so that, if someone is performing this recognisance on a network, they can be spotted and blocked before exploitations or exfiltration,” he said.
Microsoft’s disclosure about the SChannel vulnerability means that a severe vulnerability has been reported in just about every major TLS stack this year.
Until now, the most severe has been the Heartbleed bug in OpenSSL, but it has now been joined – and possibly surpassed – by the SChannel vulnerability.
Security experts said any Windows-based computers should install the appropriate software update as soon as possible.