Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on November 11, 2014

Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines

Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines
Owen Williams
Story by

Owen Williams

Former TNW employee

Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

Remember Heartbleed? You know, the exploit in SSL that was so bad it got its own brand? Microsoft may have an issue of similar scale on its hands with a critical patch issued via Windows Update today.

The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution,” which affects Windows Server 2003/2008/2012, Vista, 7, 8, 8.1 and Windows RT.

Microsoft gives few details about the exploit, other than saying that the bug would “allow remote code execution if an attacker sends specially crafted packets to a Windows server.”

In other words, if an attacker modified packets in a particular way and attacked your machine, they may be able to execute whatever code they like remotely without an authorized an account. The attack appears to only affect those running a server on affected platforms.

This is particularly bad as the hole itself is in the Schannel library, which is the layer that handles encryption and authentication in Windows, particularly for HTTP applications.

The bad news? It affects everything running a modern version of Windows, meaning businesses will need to patch a lot of machines as soon as possible. Microsoft also says that there is no workaround or ways to mitigate the attack, other than via a patch.

The good news is that Microsoft says there is no evidence this bug has been exploited in the wild and there’s a patch out right now on Windows Update. Server admins, start your Windows Update….

MS14-066 (Microsoft TechNet)

Featured Image: Patricia / Shutterstock

Also tagged with