Microsoft Patch Boasts 14 Security Updates For 33 Flaws. Whew!

Microsoft has released a patch to the Windows cryptographic library that fixes a total of 33 vulnerabilities in the Microsoft Secure Channel component.

The November patch includes 14 security updates for the flaws. The patch comes after a similar update last month that fixed 24 Common Vulnerabilities and Exposures (CVEs).

A number of flaws were also found in Microsoft Object Linking and Embedding technology, which allows the passing of data between applications.

"Today another vulnerability, CVE-2014-6352, was fixed in OLE," said Amol Sarwate, director of Vulnerability Labs at Qualys. "It's hard to say if more vulnerabilities may or may not be found in OLE, but usually when a vulnerability is found in a certain component, white hat security researchers as well as attackers start poking that component to check for existence of other flaws."

Microsoft has made it quite clear the vulnerabilities found could be exploited by an attacker to execute code on a Windows system running as a server. It is unclear whether or not a malicious HTTPS website could exploit the flaw to execute code on Windows-based computers through Internet Explorer, which relies on similar software.

"The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website (which most are these days)," said Jared DeMott, a security researcher at Bromium. "And it would be straightforward for an attacker with details of this vulnerability, to host a malicious site that offers 'security' via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we'll have to wait to hear about how bad it is."

The flaw in SChannel was found after a number of other flaws were found this year in other SSL and TLS libraries. These include the likes of OpenSSL, GnuTLS and so on. The update doesn't just take care of the flaw found in SChannel, but it also adds stronger encryption on older versions of Windows.

"This update includes new TLS cipher suites that offer more robust encryption to protect customer information," says the security bulletin. "These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

The update addresses machines running Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics