Microsoft released a security advisory on November 11, 2014 regarding a critical vulnerability that impacts all Windows systems running a server, such as a web server or print server. This vulnerability is in the Microsoft Secure Channel (SChannel) security package, which implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) internet cryptographic protocols.
The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows system.
For more information about this vulnerability, please see NVD Vulnerability Note CVE-2014-6321.
IT staff should apply the security patch MS14-066 to all Windows servers as soon as possible. We recommend that where possible all Windows users use Windows Update to ensure their systems are fully patched as well.
If you have questions about patching your Windows system, please check with your department IT staff or helpdesk.
IT staff should note Microsoft has released information about an issue in certain configurations in which TLS 1.2 is enabled by default and TLS negotiations may fail. When this problem occurs, TLS 1.2 connections are dropped, processes stop responding, or services become intermittently unresponsive. Microsoft has posted a workaround on their support website at https://support.microsoft.com/kb/2992611. The recommendation remains to patch your systems.
- NIST Advisory: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321
- Microsoft Security Bulletin MS14-066 – Critical: https://technet.microsoft.com/library/security/MS14-066
- MS14-066 – Vulnerability in SChannel could allow remote code execution (November 11, 2014): https://support.microsoft.com/kb/2992611
Note: Microsoft has simultaneously released information about three other critical vulnerabilities:
These vulnerabilities should also be patched but the severity rating for these is not as high.