Microsoft has admitted that one of the critical patches that it released last night is being exploited and actively attacked.
With some claims that the impact upon unpatched could be as serious as the Heartbleed bug from earlier this year, Microsoft and experts are urging users to patch MS14-064 as a priority.
The flaw, in Windows Object Linking and Embedding (OLE), could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. All supported versions of Windows are vulnerable, including Vista, 7 and 8.
It specifically related to Microsoft Secure Channel (Schannel), Microsoft’s software for implementing secure transfer of data.
Karl Sigler, threat intelligence manager at Trustwave, said that following the last flaw in OLE, which was exploited by the Sandworm group, the flaw was not completely fixed and exploits were still seen succeeding in the wild.
“Microsoft was forced to release an additional advisory with a Fix-It for the problem,” he said. “Now that additional exploitation avenue is closed with this month’s release.”
Gavin Millard, EMEA technical director for Tenable Network Security, admitted that it was hard to determine if the bug, which he called “WinShock” was as bad as ShellShock and Heartbleed, as at the moment, due to the lack of details and proof of concept code it’s hard to determine, “but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them,” he said.
“It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.”
Amichai Schulman, CTO of Imperva, said: “The advisory from Microsoft does not state that hosts running web servers are more vulnerable than others to this. It seems that while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched.
“If this vulnerability is indeed exploitable via SSL / TLS it is more sever in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server (while Heartbleed attempted, opportunistically to collect sensitive information).”
TK Keanini, CTO of Lancope, said: “This bug effects the listening side of the connection traditionally the server, but it is difficult these days to make this differentiation with software installing on traditional desktop OS’s as servers.
“Attackers will just add this to their playbook as they explore your network for access vectors. You have two tasks: First is to patch and narrow the aperture of your target surface and but more importantly, secondly, have the telemetry in place so that if someone is performing this recognisance on your network, you can
identify them and shut them down prior to exploitations or exfiltration. Put it this way: if banks had no security cameras or incident response, crooks could show up with tools and torches and take their time as they made their way into the safe.”
