Microsoft has closed a great many flaws, including a 0-day abused by the Sandworm team, in November’s Patch Tuesday.
But there is another vulnerability that you should be worried about and should implement a patch for as soon as possible: the one that affects the Microsoft Secure Channel (Schannel) security package in all supported releases of Microsoft Windows.
Schannel implements security protocols that provide identity authentication and secure, private communication between a client and a server over the web through encryption.
According to the accompanying security bulletin, there are no mitigating factors or workarounds for this vulnerability – dubbed WinShock by some – so applying the patch should be a must.
“Server and workstation systems that are running an affected version of Schannel are primarily at risk,” the company warned. “An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server,” they noted, and the result of the exploitation could be arbitrary code execution on a target server.
Fortunately, there are no reports about the bug being exploited in attacks in the wild.
The update also includes new available TLS cipher suites in Schannel. “These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication,” Microsoft pointed out.
Microsoft does not say who discovered the bug, only that they received information about it through coordinated vulnerability disclosure.
According to Qualys CTO Wolfgang Kandek, the fixes “are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles.”
“The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit, it is only a matter of time and resources, and it is prudent to install this bulletin in your next patch cycle,” he advised.
“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated,” noted Gavin Millard, EMEA Technical Director for Tenable Network Security. “It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.”
“Is “WinShock” as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them,” he added.
“As per usual with the ‘Bug Du Jour’, it is of upmost importance that every system in the environment is identified and patched, if required, to reduce the risk of data loss from targeted attackers and the impact of any worms or malware that may surface over the coming days.”
Another serious bug that has been patched is an almost two decades old vulnerability found by the IBM X-Force Research team.
“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” says IBM’s Robert Freeman.