Microsoft has warned of a problem with its recent Schannel security patch that can cause affected servers to drop connections or hang altogether, but has chosen not to remove the patch from its Windows Update servers.
As part of the company's regular Patch Tuesday update cycle, Microsoft this month released a fix for a serious security vulnerability
in its Secure Channel (Schannel) package. Joining all rival major SSL/TLS software stacks in having major security flaws exposed this year, Schannel's error allowed for remote code execution on affected servers without user interaction and with no available workaround or mitigation - leading to the company giving the patch its highest importance ranking of Critical and making it a recommended update for all users.
Sadly, the patch itself appears to come with a bug. While its intended purpose of closing the Schannel vulnerability works as expected, some users are reporting that it makes their servers unusable. It's a problem Microsoft has confirmed: 'We are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail,
' the company admitted in an updated knowledge base article
on the patch. 'When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive.
For servers which rely on Schannel to provide TLS connectivity, it's a major flaw. Thankfully, Microsoft has a work-around in the form of deleting the registry entries that enable four problematical cipher choices: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256. The company does, however, warn that 'serious problems might occur if you modify the registry incorrectly
' while removing support for these ciphers.
Microsoft has not chosen to remove the security patch from Windows Update, as it has done previously for faulty patches, nor has it indicated when an updated version of the patch which does not suffer from the flaw will be released. Given the severity of the original vulnerability, however, users are advised to install the patch and edit the registry if required in order to remain protected against attack.