Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

It’s official, all major SSL stacks are now vulnerable.  There are already a number of detailed blogs written about this new vulnerability, so I am not going to rewrite all of the details.  I am going to sum it up and bottom line it for you.  Here is a good detailed account of the issue if you are interested.

SCHANNEL is to Windows in the same way OpenSSL is to Linux.  It is used in almost all instances where Windows is listening for SSL traffic.

Many people are claiming this is something that needs to be pushed out asap, but as of right now there aren’t any public exploits that are widely available.  Microsoft said there will soon be one and a number of sources also say that is the case.  According to NIST the risk rating for one of the vulnerabilities related to this is a 10 for all categories.  There are a number of vulnerabilities that are related to this exploit.

Do I need to worry about it?

Yes, but it doesn’t mean it has to be an all hands on deck situation.  In fact, this is not a new bug, “this has been remotely exploitable for 18 years,” according to researcher Robert Freeman.  This is a potentially serious vulnerability, but how do the length of time it has been available and the difficulty in exploitation factor into the situation?

What should we do?

Make sure you have a good inventory of your devices.  Any Windows Server listening publically on SSL should get this patch on your next patch cycle(think not only website, but SFTP, RADIUS, etc), even if its not slated for that particular cycle.  You should also double check traveling laptops to make sure they don’t have anything unique on them, but typically they wouldn’t be listening for this traffic.

The rest of your infrastructure is fairly protected behind other defenses and should be addressed with as much prudence as any critical vulnerability would, but at this point and with the information out there, it does not seem that you should drop everything and immediately push this out to all devices.

Knowing where your devices are and what their patch status should be one of your top priorities for your organization.

We will update this blog as new information surfaces.