Critical vulnerability in Microsoft SChannel
Windows users, I think, were a little upset that OpenSSL Heartbleed hardly affected them. Now they can have fun too, because they have a similar vulnerability!
Yesterday, Microsoft published Security Bulletin MS14-066 , which describes a critical bug in SChannel, a Microsoft SSL / TLS implementation that allows an attacker to execute arbitrary code remotely. Updates covering the vulnerability are already available through Windows Update.
All versions of Windows since 2003 are affected, including Windows RT. This suggests that the vulnerability is not only on the server side, but also on the client side.
Affected Windows versions:
Based on technet's blog information , the vulnerability was found inside Microsoft during the security testing of the products, so it can be assumed that the vulnerability was not previously exploited. The Cisco blog tells us that this CVE covers several bugs at once: from buffer overflow to certificate validation bypass.
')
Among other things, the update adds new encryption methods (ciphersuites) using AES-GCM.
It should be updated as soon as possible.
Yesterday, Microsoft published Security Bulletin MS14-066 , which describes a critical bug in SChannel, a Microsoft SSL / TLS implementation that allows an attacker to execute arbitrary code remotely. Updates covering the vulnerability are already available through Windows Update.
All versions of Windows since 2003 are affected, including Windows RT. This suggests that the vulnerability is not only on the server side, but also on the client side.
Affected Windows versions:
- Windows Server 2003 Service Pack 2
- Windows Vista Service Pack 2
- Windows Server 2008 Service Pack 2
- Windows 7 Service Pack 1
- Windows Server 2008 R2
- Windows 8
- Windows 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT
- Windows RT 8.1
Based on technet's blog information , the vulnerability was found inside Microsoft during the security testing of the products, so it can be assumed that the vulnerability was not previously exploited. The Cisco blog tells us that this CVE covers several bugs at once: from buffer overflow to certificate validation bypass.
')
Among other things, the update adds new encryption methods (ciphersuites) using AES-GCM.
It should be updated as soon as possible.
Source: https://habr.com/ru/post/242997/
All Articles