Windows Schannel (WinShock) vulnerability affects every Windows user in the world

Microsoft just reported and released a patch to a vulnerability (CVE-2014-6321) on November 11, 2014 that affects every single Microsoft Windows user in the entire world. CVE-2014-6321, commonly known as the WinShock vulnerability, has the potential to be as catastrophic as Heartbleed for Microsoft users. After all, there are over 1 billion Windows PCs in the world today.

Winshock

What is and isn’t affected?

Every supported Microsoft operating system and software on this list should be patched immediately. This includes both servers and workstations. Because the vulnerability affects a user’s operating system, it has the potential to allow attackers to compromise most applications on your computer.

Apple OS, Linux, UNIX, and BSD systems aren’t affected by this vulnerability, and neither are applications that use other SSL libraries, such as Chrome, Firefox, and Safari.


What should I do?

5 words: Patch your Windows OS immediately. This includes all supported versions of Windows OS, such as: Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1.

11/20/14 UPDATE: On November 18, 2014, Microsoft launched a second patch for WinShock because a small number of Microsoft customers experienced issues with the TLS cipher suites included in the original release. If you are currently running Windows Server 2008 R2 or Windows Server 2012 and installed the WinShock patch prior to November 18, make sure to install the second patch. For more information, see Microsoft’s Security TechCenter and support blog.

How does the vulnerability work?

As of right now, we don’t know how the vulnerability works. The vulnerability was identified in an internal audit performed by Microsoft who did not release the nature of the exploit to the public.

What we do know is, Schannel is Microsoft’s closed-source version of SSL and Microsoft has informed the public that there was a remote code execution vulnerability. This means an attacker could execute commands to gain control of any computer or server running an unpatched version of Windows OS.


How does this affect me as a SecurityMetrics customer?

Because there is no exploit for WinShock, remote vulnerability scanners can’t detect it…yet. But it’s only a matter of time. When an exploit for WinShock is released, SecurityMetrics will work to include a check for the vulnerability in its vulnerability scanning engine.

In the meantime, SecurityMetricsvulnerability scanners will give a warning to any business running Windows OS. We recommend you update any Windows OS immediately. If you have any questions, please contact SecurityMetrics support, 801.705.5700.