Table Of Contents

Critical Schannel flaw in Windows exposed, Microsoft issues patch

Adding to the list of crypto flaws to have broken out this year, comes a new flaw in Windows OS this time. The flaw, found during a “proactive audit” is located in the secure channel or Schannel technology.  To some extent, Schannel is like Microsoft’s OpenSSL in the sense that it is what implements SSL (Secure Sockets Layer) and TLS (Transport Security Layer) for the OS. So it is also ironic, yet not unheard of, that the component in charge of implementing secure communication would become the vehicle for compromising the security of a system. The more surprising fact is that this flaw was existing in all Windows operating systems right from Windows 2003 to the current versions and nobody ever noticed it.

Microsoft tight lipped

As in most cases of propriety software, Microsoft has not been very forth coming in the details and extent of this bug. The flaw can be exploited by an attacker to remotely attack a machine. In fact the flaw is pretty serious that every unpatched Windows machine round the globe is vulnerable to this attack. However, these were the official details given by Microsoft:

A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets

In simpler words, if an attacker is able to modify a few packets being sent to your machine, he can theoretically execute any program he wishes on your machine irrespective of proper access. And the worst part is that this flaw affects every release of Windows from 2003 onwards, including windows server releases. Keeping in mind the magnitude of the machines affected, experts believe that this may lead to a bigger threat than even Heartbleed. In order to exploit the vulnerability, an attacker only needs to control a malicious Web page with the exploit code and have users visit it. The Schannel vulnerability follows in the dubious footsteps of many other SSL/TLS vulnerabilities that have appeared on the landscape in the last couple of years.

The Good News

The silver lining in the news is that this is still just a potential threat. We say potential as no attacks have yet been reported using this vulnerability. Also, Microsoft has released a patch for the flaw, which means the loophole has been plugged. The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution.” Microsoft has also said that there is no other workaround against this flaw other than the patch.

There are other security exploits that Microsoft is patching up this month, but the Schannel seems to be the worst of the batch. While the others require that users visit a specially crafted website in order to be compromised, this one can be initiated by an external attacker without any help from the user.

Microsoft also added several new ciphersuites to its TLS implementation in Windows. “In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes changes to available TLS cipher suites. This update includes new TLS cipher suites that offer more robust encryption to protect customer information. These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication,” the advisory says.

Techworm advises you to apply the Schannel patch immediately if you are using a Windows OS