Microsoft has released scant details on a serious vulnerability in its Secure Channel security layer, patched yesterday during its regular update cycle, which affects all current versions of Windows.
Microsoft's Secure Channel package, known officially as Schannel, provides Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption and authentication to the underlying operating system. It's used by any web browser that doesn't bring its own SSL/TLS libraries, including Internet Explorer, as well as by the operating system itself. A security vulnerability in Schannel, then, is serious business - and doubly so when it is discovered that a flaw allows for remote code execution with no mitigations.
'A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets,
' Microsoft explained in its brief write-up
of the flaw, which it claims to have been alerted to through a third-party as part of its coordinated vulnerability disclosure programme. 'When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
With the vulnerability covering all currently-supported versions of Windows and allowing for remote code execution with no workarounds or mitigation - including no protection through the recently-upgrade EMET 5.1 add-on - the patch is a recommended install for any users of Windows Vista and above, including Windows RT, while the flaw itself has been rated as Critical by Microsoft.
The vulnerability marks the last of the major SSL/TSL security stacks to fall prey to a major security flaw. Previous vulnerabilities at least as serious as that found in Microsoft's Schannel have been discovered and patched in OpenSSL, GnuTLS and the Apple SecureTransport packages over the past year.
The Schannel flaw is joined in yesterday's Patch Tuesday updates by a zero-day attack under active exploitation which its discoverer, IBM's Robert Freeman
, claims can be found in versions of Internet Explorer going back 19 years to Internet Explorer 3.0 and Windows 95, and for which again the EMET add-on provided no protection. The flaw was publicly known since May, Freeman claims.