Microsoft SSL bug could be worse than Heartbleed, say researchers

Reseachers say the SSL flaw in Microsoft Windows could be worse than Heartbleed and Shellshock

Security researchers say the newly-disclosed critical SSL weakness in Microsoft’s Windows operating system could be worse than Heartbleed and Shellshock.

Microsoft’s newly released security update for MS14-066 addresses the vulnerability – and this should be a top priority for system administrators, according to some security experts.

The flaw in Microsoft’s Secure Channel (SChannel) implementation could allow a remote, unauthenticated attacker to execute arbitrary code.

The SChannel security component implements the secure sockets layer (SSL) and transport layer security (TLS) protocols.

SChannel bug affects many systems

“Attackers could execute arbitrary code on a long list of Microsoft products, including desktop systems with RDP enabled and any web applications using IIS for HTTPS,” said Craig Young, security researcher at Tripwire.

“Reliable exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems.”

Ross Barrett, senior manager of security engineering at Rapid7, described the vulnerability as a risky issue.

“What makes this particularly risky is that there is a very good chance the service could be exposed or accessed via the perimeter,” Barrett said.


Administrators' patching priorities

According to Young, Heartbleed was less powerful because it was just an information disclosure bug. Shellshock was remotely exploitable only in a subset of affected systems. 

He said some administrators may want to prioritise this over the IE patch – even though there had been attacks against the browser – because MS14-066 could be exploited without user interaction.

“Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give administrators enough time to patch their systems before we see exploits,” said Young.

TK Keanini, chief technology officer at Lancope, said system administrators should already have a process to review and patch after each Microsoft update.

“Those who have good habits remain secure, but those who have bad habits need reminders – or will ultimately get compromised before they get around to updating,” he said.

Keanini said the SChannel bug affects the listening side of the connection – traditionally the server – but added that it is difficult to make this differentiation nowadays, with software installing on traditional desktop operating systems as servers.

“Online games are particularly notorious in installing listening ports for incoming connections, so it is best that everyone just applies the patch, regardless of the client or server designation,” he said.

SChannel bug worse than OpenSSL Heartbleed

Keanini expects attackers to add the exploitation of the SChannel bug to their toolkit as they explore networks for ways to get access.

“System administrators have two tasks: First, to patch and narrow the aperture of the target surface; and second – more importantly – to have the telemetry in place so that, if someone is performing this recognisance on a network, they can be spotted and blocked before exploitations or exfiltration,” he said.

Microsoft’s disclosure about the SChannel vulnerability means that a severe vulnerability has been reported in just about every major TLS stack this year.

Until now, the most severe has been the Heartbleed bug in OpenSSL, but it has now been joined – and possibly surpassed – by the SChannel vulnerability.

Security experts said any Windows-based computers should install the appropriate software update as soon as possible.

Read more on Hackers and cybercrime prevention