Last week Microsoft released a patch for a critical remote code execution vulnerability in its security channel (SChannel). The SChannel is the security package that implements SSL/TLS in all supported versions of Windows server and client operating systems. This bug, although recently identified, has been around since Windows 95.
Microsoft will not be releasing a patch for Windows XP, Windows NT or Windows 2000.
Sometimes referred to as WinShock, this vulnerability has been compared to the critical bugs Shellshock and Heartbleed. While no exploits for this Windows SChannel bug have been reported in the wild, now that the patch is out it will be easy to reverse engineer how to access the vulnerability. In other words, you could be at even more risk now that there’s a patch out than before.
While the Microsoft vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time a browser connects to a secure website. Then, an attacker with details of this vulnerability could host a malicious site that offers “security” via the bogus SSL/TLS packets.
Here’s a caveat: some users who have applied the patch are having issues, including a fatal TLS error. Luckily there is a workaround, involving the deletion of certain cipher entries in the registry. However, it’s important to note that serious problems might occur if users modify the registry incorrectly. There are a few other problems that are being reported so make sure you take caution when applying it and make sure you have backups ready just in case.