- Joined
- Jun 27, 2006
- Location
- Chicago, IL
Original release date: November 14, 2014
Systems Affected
Microsoft Windows XP and 2000 may also be affected.
Overview
A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description
Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]
It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]
Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact
This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution
Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
This product is provided subject to this Notification and this Privacy & Use policy.
Continue reading...
Systems Affected
- Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
- Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Microsoft Windows XP and 2000 may also be affected.
Overview
A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description
Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]
It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]
Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact
This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution
Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
- [1] NIST Vulnerability Summary for CVE-2014-6321
- [2] Microsoft Security Bulletin MS14-066 - Critical
- [3] Microsoft, Secure Channel
- [4] Reddit, Microsoft Security Bulletin MS14-066
- [5] Pastebin, SChannelShenanigans
- [6] Winshock.txt
- November 14, 2014: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.
Continue reading...
