Skip to Main Content
November 14, 2014

MS14-066 - Patch em if you got em

Written by David Kennedy
Penetration Testing Security Testing & Analysis
Critical flaws have been identified in Security Channel (SChannel) which is a package of Security Support Provider (SSP) and the backbone of the SSL implementation within Microsoft's Windows-based platforms (from old to new). A patch was just released which contained fixes for some of the exposures (probably more to come) with MS14-066. Multiple proof of concepts are already out in the wild working towards reliable exploitation. A PoC has already been released by Immunity already and to their customers (Immunity PoC). As most remember, the most notorious remotely exploitable flaw in near time was MS08-067 which took advantage of a stack based overflow in the RPC service. Why this flaw was so damaging was due to the ability to gain remote code execution (RCE) across multiple Windows versions and consistently as RPC is an extremely common protocol. What makes MS14-066 such an alarming exposure is the ability to gain RCE through very common services - such as Remote Desktop Protocol (RDP) or the widely popular web platform Internet Information Services (IIS) which most enterprise environments currently utilize. This also affects any service that takes advantage of the vulnerable libraries. With any exploit, it requires specific conditions to be met however as of right now, reliable exploitation seems likely. The fullest extent of this bug is just coming to fruition - only time will tell but we may be looking at the modern day 2014 MS08-067. The SChannel flaw affects almost every version of Microsoft's operating system including its latest Server 2012 R2 and Windows 8.1. For more information on the advisory, visit Microsofts website: https://technet.microsoft.com/en-us/library/security/ms14-066.aspx TrustedSec heavily recommends considering this patch as highly critical and moving forward to fix this issue as soon as possible. Update: November 14, 2014 - 4:47PM ET - Fixed wording on reliable exploitation vs. working towards reliable exploitation.