Not logged in » Login
Nov 18 2014

Microsoft Fixes Severe SChannel and OLE Vulnerabilities [Update]

Redmond's monthly security update cures massive ills in its server and desktop operating systems that affect all versions since Windows Server 2003 and Vista, respectively. Admins are urged to install the critical fixes on the spot.

As is often the case with more dangerous security holes, Microsoft remains relatively tight-lipped about attack vectors and the causes of the obviously massive flaws. The Security Bulletin MS14-066, which would normally describe the SChannel vulnerability at least to some degree, merely states that it allows for remote code execution "if an attacker sends specially crafted packages to a Windows server" and that the related update corrects how SChannel "sanitizes" these packages. Apparently there are no mitigating factors or workarounds, so running the patch appears to be the only way to fix affected Windows installations. Since SChannel is essentially a DLL that implements SSL and TLS standards to ensure proper authentication processes and encrypted communication online, such repair work is critical indeed – if left open, the vulnerability could compromise the entire "crypto infrastructure" embedded in Windows operating systems and applications, in particular Internet Explorer.

The OLE (Object Linking and Embedding) vulnerability described in Security Bulletin MS14-064 is of similar severity; in this case, unsuspecting surfers could fall victim to an attack if they view a specially prepared web page with Internet Explorer. If successful, the attacker could then take control of vulnerable servers and desktops and do whatever he pleases afterwards so long as the victim was logged on with administrative user rights (as roughly 9 out of 10 Windows users are) – meaning that he could steal, manipulate or wipe out data, install software and open up further accounts with full user rights on the same machine. As before, the related patches appear to be critical enough; only this time around, Microsoft lists a few mitigating factors – namely, that the consequences may be less severe for users without admin privileges and that everyone who doesn't blindly follow every link in emails or IM messages and doesn't reflexively open attachments should be relatively safe. This would normally make the OLE bug a little less severe than its SChannel counterpart; however, there's one small problem left: security researchers from IBM's X-Force team found out that this particular flaw first appeared in Windows 95 and has been remotely exploitable since the launch of IE 3. In other words, this hole existed for almost 20 years, and there's simply no telling whether it has been exploited or not in retrospect. Honi soit qui mal y pense!

[Update 11-12-14:] Users who have previously installed Microsoft's Enhanced Mitigation Experience Toolkit (EMET) in version 5.0 may find that applications like IE become inoperable after the patches have been installed. In these cases, it helps to update to EMET 5.1. Better still, run the EMET update first and then follow suit with the patches.

[Update 11-18-14:] Apparently, the SChannel patch is causing serious problems in configurations where TLS 1.2 is enabled by default. Microsoft has confirmed that TLS negotiations may fail and that afterwards connections are dropped, processes stop responding, or services stop working – and suggests registry changes as a workaround. In addition, there seem to be issues with Access and SQL Server, which could run into major performance problems after the update, writes software developer Darren Myher from ERP vendor Blue Link. Reports on TechNet about the patch also "breaking" Microsoft's Internet Information Server, more precisely not responding to recent versions of Chrome 38 (64-bit edition) have not been confirmed yet.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now