Windows Schannel (WinShock) vulnerability affects every Windows user in the world

Microsoft just reported and released a patch to a vulnerability (CVE-2014-6321) on November 11, 2014 that affects every single Microsoft Windows user in the entire world. CVE-2014-6321, commonly known as the WinShock vulnerability, has the potential to be as catastrophic as Heartbleed for Microsoft users. After all, there are over 1 billion Windows PCs in the world today.


What is and isn’t affected?

Every supported Microsoft operating system and software on this list should be patched immediately. This includes both servers and workstations. Because the vulnerability affects a user’s operating system, it has the potential to allow attackers to compromise most applications on your computer.

Apple OS, Linux, UNIX, and BSD systems aren’t affected by this vulnerability, and neither are applications that use other SSL libraries, such as Chrome, Firefox, and Safari.

What should I do?

5 words: Patch your Windows OS immediately. This includes all supported versions of Windows OS, such as: Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1.

11/20/14 UPDATE: On November 18, 2014, Microsoft launched a second patch for WinShock because a small number of Microsoft customers experienced issues with the TLS cipher suites included in the original release. If you are currently running Windows Server 2008 R2 or Windows Server 2012 and installed the WinShock patch prior to November 18, make sure to install the second patch. For more information, see Microsoft’s Security TechCenter and support blog.

How does the vulnerability work?

As of right now, we don’t know how the vulnerability works. The vulnerability was identified in an internal audit performed by Microsoft who did not release the nature of the exploit to the public.

What we do know is, Schannel is Microsoft’s closed-source version of SSL and Microsoft has informed the public that there was a remote code execution vulnerability. This means an attacker could execute commands to gain control of any computer or server running an unpatched version of Windows OS.

How does this affect me as a SecurityMetrics customer?

Because there is no exploit for WinShock, remote vulnerability scanners can’t detect it…yet. But it’s only a matter of time. When an exploit for WinShock is released, SecurityMetrics will work to include a check for the vulnerability in its vulnerability scanning engine.

In the meantime, SecurityMetricsvulnerability scanners will give a warning to any business running Windows OS. We recommend you update any Windows OS immediately. If you have any questions, please contact SecurityMetrics support, 801.705.5700.


  1. How does the recommendation to "update immediately" align with PCI requirements to test all patches within test environments prior to releasing to production? This requirement always bothered me especially considering zero day vulnerabilities. What criteria is used to determine "sufficient testing?"

    1. A critical risk vulnerability does not override the requirement to test the patch before rolling it out into production. Our recommendation to patch Windows immediately really means: begin your patching process now.

      We do not recommend updating without testing the patch first. We have seen many organizations update a patch directly to production. The results of such rash decisions often result in either the server crashing, or worst, security holes being introduced into the environment.

      There is no specific requirement that outlines what constitutes "sufficient testing". For this specific patch sufficient testing should include, installing the patch in the test environment, then verify that all SSL services still work as expected (IIS, Mail, etc.) and that no other components of the overall environment are adversely affected.

      Critical patches, such as this one, need to be installed within 30 days. By beginning the patch process now, organizations can have the testing completed and patches rolled out well before this 30 day requirement.

  2. Administrators should also be aware of adverse affects of installing these patches on there web and SQL servers. Some IIS servers are reporting issues with TLS 1.2 negotiating properly, and others are reporting problems with SQL server performance.