Microsoft Patch Tuesday release Update (MS14-066) – Rated as Critical

There have been many security flaws identified in SSL in recent o365tile2_122336
months and microsoft have just released a patch for another one.

The Facts

It’s for a vulnerability in the schannel component which is present in all Windows systems. Schannel implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

Traffic is sanity-checked by schannel but there is a flaw in this process which can allow specially-crafted packets through. This can allow an attacker to run arbitrary code on any system offering TLS/SSL, potentially taking control of the system.

IIS servers are clearly at risk but your machine can also be vulnerable if you accept encrypted traffic. Microsoft were not aware of any successful attacks using this vulnerability at the time their advisory was drafted, but as it has now been made public there will obviously be vigorous attempts in certain quarters to take advantage of it.

What We Recommend

This vulnerability is limited to Windows devices only and there is no risk to any of our Sophos Security Gateways. The vulnerability should be taken seriously but we perceive the risk to you to be minimal, however we recommend you, just to be on the safe side, to install the latest updates available from Microsoft as soon as possible on all windows systems, particularly web and e-mail servers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s