Microsoft released their regular Tuesday patch for this month two days ago, on 11th November. They are fixing many issues with the patch, including the 0-day Sandworm one, but a flaw in their security remains still. We’re talking about the Microsoft Secure Channel (Schannel) package which concerns all security versions of the Windows OS.
Schannel – Bugs in the Code
What Schannel does is implementing security protocols ensuring authentic communication between clients and servers throughout encrypted connection. According to a security update from Microsoft from 11th November, “A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets.” Fortunately, there are no reports for such hacker attacks at the moment.
Nevertheless, Microsoft are releasing temporary fixes on some cipher suites in the Schannel, “In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes changes to available TLS cipher suites. This update includes new TLS cipher suites that offer more robust encryption to protect customer information. These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication. ”, they write in the release.
Experts’ Opinion on the Bugs
According to Wolfgang Kandek, Chief Technical Officer in Qualys Security and Cloud Platform Company, Microsoft’s actualizations are in a result of internal memory errors in both the server and the client. He also thinks that the cases of vulnerability are more private than common ones and although being hard to code Microsoft should be releasing automated fix in their next patch release.
As Gavin Millard, EMEA Technical Director for Tenable Network Security notes, although there are still no proofs of stable and conceptual malware code to have appeared targeting this Microsoft vulnerability, it might be only a matter of time for hackers to come up with such. This could bring many issues for admins who still haven’t updated their systems. He advises all the Windows versions must be up and running and being properly updated as attackers can execute remote server codes and thus infect machines.
One more bug being fixed in this week’s Microsoft patch release is the almost two-decade old CVE-2014-6332 “unicorn-like” vulnerability, found and reported to the company from IBM X-Force research team. What the bug does is being remotely activated by hackers, passing by the Enhanced Protected Mode (EPM) of Internet Explorer 11 and even the Enhanced Mitigation Experience Toolkit (EMET), Microsoft offers for free, to harm the machine it is targeted at.