Microsoft Patches Schannel VulnerabilitySome Experts Compare Flaw to Heartbleed
Microsoft this week issued a patch to correct a critical vulnerability in the Microsoft Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms. The bug is "very concerning" for organizations running the service, according to security experts, who say the potential attack vector is similar to the Heartbleed vulnerability.
"Heartbleed provided the blueprint for attackers to analyze other similar protocols and technologies for encrypting transmissions, and they immediately started to see if Microsoft could be penetrated in a similar fashion," says JD Sherry, vice president of technology and solutions at Trend Micro.
The Schannel vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server, Microsoft says in a Nov. 11 security bulletin.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for Web applications, e-mail, instant messaging and some virtual private networks (see: How to Treat the Heartbleed Bug).
Analyzing the Bug
The greatest impact of the newly discovered Windows vulnerability will most likely be on Microsoft Exchange mail servers, where Microsoft's protocols are heavily used to encrypt mail traffic, Sherry says. "Attackers can glean a tremendous amount of information if they were able to intercept e-mail traffic from infected mail servers," he says.
Schannel is the standard SSL library that ships with Windows, says Brian Evans, senior managing consultant at IBM Security Services. "As a result, most Windows software takes advantage of SSL to use Schannel," he says.
Microsoft assigned the vulnerability an exploitability rating of "1," which indicates that an exploit is likely to be developed soon, Evans says. "The most likely targets are SSL services that are reachable from the Internet, such as Web and e-mail servers."
Organizations should ensure they have an accurate inventory of what systems may be affected by the flaw, Evans says. "While patching for this vulnerability is important, organizations should review their last external and internal vulnerability scan or repeat the scan if it hasn't occurred within the last month," he says.
Implementing the patch that Microsoft made available is urgent to mitigate the encrypted channel vulnerability, Sherry at Trend Micro says.
Microsoft Also Patching 19-Year-Old Bug
This week, Microsoft also issued a patch for a vulnerability that could allow for remote code execution if a user views a specially crafted webpage using Internet Explorer. The bug exists in Microsoft Windows Object Linking and Embedding, a technology that enables applications to share data and functionality, Microsoft says.
An attacker who successfully exploited the vulnerability could run arbitrary code in the context of a current user, Microsoft says in its security bulletin. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
IBM in a Nov. 11 blog says it discovered the vulnerability and notified Microsoft with a proof-of-concept exploit back in May.
"The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine," IBM says
IBM says the bug is at least 19 years old and has been remotely exploitable for the past 18 years. "This means that significant vulnerabilities can go undetected for some time," the company says.
The vulnerability gives cyber-attackers another weapon to unleash on individuals and organizations running the Windows operating system, says Sherry at Trend Micro. "General awareness of this will allow attackers to level-up and refactor their spam runs and campaigns to generate websites that house attack code specifically engineered to exploit this vulnerability," he says.
The flaw poses a significant risk for organizations running Windows XP, which Microsoft no longer supports, Sherry says (see: What Happens When Windows XP Support Ends?). "If the world conservatively still has 15 to 20 percent of PCs running XP, they will have no workaround to defend against this critical threat."