Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

What you need to know about ‘WinShock’

Yet again the information security world is buzzing with the news of another serious vulnerability, this time in all versions of Microsoft Windows. The vulnerability, being called WinShock by many pundits, came to light on Tuesday (11th November) when a patch for it was released during a regular Microsoft update. The update, detailed in Microsoft Security Bulletin MS14-066 – Critical, “resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows." Microsoft says that the vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server and rates this security update as 'Critical for all supported releases of Microsoft Windows.'

To assist business continuity managers to understand the nature of the vulnerability and the associated risks and required actions the following pieces of advice were sent to Continuity Central by various industry experts:

Gavin Millard, EMEA Technical Director for Tenable Network Security

Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated. It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.

Is ‘WinShock’ as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.

As per usual with the ‘Bug Du Jour’, it is of upmost importance that every system in the environment is identified and patched, if required, to reduce the risk of data loss from targeted attackers and the impact of any worms or malware that may surface over the coming days.

Phil Lieberman, CEO of Lieberman Software

This is a very serious bug that needs to be patched immediately. Fortunately the Microsoft platform update ecosystem provides the ability for every customer to be patched for this vulnerability in hours using Microsoft Update. In the similar care of Heartbleed, every open-source vendor needed to provide their own unique distribution to patch the vulnerability. I can say from personal experience that even enterprise firewalls from first tier vendors are still not patched months after the Heartbleed vulnerability was identified.

“Although no platform is 100 percent secure, this scenario points out the superiority of commercial software remediation over the chaos of open-source usage of a hodge-podge of components of varying versions and patch scenarios."

Amichai Schulman, CTO, Imperva

System administrators should already have a process to review and patch each Patch Tuesday. Those who have these good habits remain secure; those who have bad habits need reminders or ultimately get compromised before they get around to updating.

This bug effects the listening side of the connection, traditionally the server, but it is difficult these days to make this differentiation with software installing on traditional desktop OSs as servers. Online games are particularly notorious for installing listening ports for incoming connections so it is best that everyone just apply the patch regardless of the client or server designation.

Attackers will just add this to their playbook as they explore your network for access vectors.

You have two tasks: 1) is to patch and narrow the aperture of your target surface and but, more importantly, 2) have the telemetry in place so that if someone is performing this recognizance on your network, you can identify them and shut them down prior to exploitations or exfiltration. Put it this way: if banks had no security cameras or incident response, crooks could show up with tools & torches and take their time as they made their way into the safe."

Craig Young, security researcher, Tripwire.

2014 has already been a big year for SSL bugs and this month Microsoft is patching another critical SSL weakness with MS14-066. This internally discovered flaw in Microsoft’s Secure Channel (SChannel) implementation could allow a remote unauthenticated attacker to execute arbitrary code on a long list of Microsoft products, including desktop systems with RDP enabled and any web applications using IIS for HTTPS.

Reliable exploitation of the SChannel bug has the potential to be worse than Heartbleed and Shellshock combined due to the large numbers of affected systems. Heartbleed was less powerful because it was ‘just’ an information disclosure bug and Shellshock was remotely exploitable only in a subset of affected systems.

Some administrators may want to prioritize this over the Internet Explorer patch even though we’ve seen attacks we’ve seen in the wild against the browser. This is because MS14-066 has the potential to be exploited without user-interaction.

Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give admins enough time to patch their systems before we see exploits.

Tyler Reguly, manager of security research, Tripwire.

This month sees an increase in the number of ‘services’ that are being targeted. This is a flashback to years gone by, where remote listening services were targeted and local vulnerabilities were much less common. I wonder if this is a reflection of an upcoming change in the threatscape or simply Microsoft lowering the priority of network-based remotes, leaving them until the end of the year and for their ‘kitchen-sink clean-up’. If so, the attackers may take note of this and shift their focus to match the areas that Microsoft has targeted.

Microsoft has, to the best of my knowledge, introduced a new first this month. MS14-068 and MS14-075 have not been released. It is not uncommon for a bad patch to be pulled during the QA process. It is, however, odd for the numbering to remain untouched. This means that we'll likely see both of these bulletins released next month and they will be out of order from the other bulletins

With several critical issues resolved this month, IT/IS teams will need to respond quickly to kick start the patch process. Given that it is Veteran's Day in the US and Remembrance Day in commonwealth nations, I wonder if we'll see a delayed reaction to these updates. Microsoft may have considered rethinking their release date this month to ensure IT/IS teams were available and fully staffed to react to this massive patch drop.

To make a comment of submit further advice please email editor@continuitycentral.com

•Date: 13th November 2014 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here