Is MS14-066 the Windows Shellshock?

The latest Patch Tuesday from Microsoft (November 11, 2014) includes fixes for some major vulnerabilities, including remote code execution bugs affecting core Windows components and Internet Explorer. The three major bulletins of note are MS14-064, MS14-065 and MS14-066, all of which have a CVSS score of above 9.0.

MS14-064 patches a bug in the Windows Object Linking and Embedding (OLE) library which appears to be a continuation of vulnerabilities disclosed last month in MS14-060 (aka Sandworm). Researchers have already seen this vulnerability used in the wild for exploitation through the use of malicious PowerPoint files. On the other hand, MS14-065 is a cumulative update that fixes 17 Internet Explorer bugs, including one major vulnerability that would enable an attacker to run code on a target system if the user was encouraged to view a crafted webpage using Internet Explorer.

This week is a good time to do a full credentialed scan

However, MS14-066 is more troublesome, since it’s a remote code execution vulnerability affecting all supported versions of Windows including the Server platforms. This bug was discovered in Schannel, a set of security protocols for communication and identity authentication. This vulnerability is of particular concern because an attacker could utilise it without user interaction. No proof of concept code has surfaced at this time, thanks to Microsoft being tight-lipped on the exact details of the vulnerability. But it won’t be long until proof of concept code does show up, which could be disastrous for any administrator who hasn’t updated Windows.

Is MS14-066, dubbed "WinShock," as bad as Shellshock and Heartbleed? At the moment, due to the lack of details and proof of concept code, it’s hard to say. But a remote code execution vulnerability affecting all versions of Windows Server on a common component like Schannel has the possibility of ranking right up there with the other major vulnerabilities of 2014.

As usual, with any “Bug Du Jour,” Tenable customers should use Nessus and SecurityCenter to identify hosts that are affected and patch accordingly. Plugins for both Nessus and SecurityCenter have been updated to detect if the patches for MS14-064, MS14-065 and MS14-066 are missing on affected hosts. The plugins also check for the 9 other updates released on Patch Tuesday 11/11/14.

This week is a good time to do a full credentialed scan of all the Windows and OS X assets on your network, since we’ve also seen major patches released by Adobe to address critical flaws in Flash and Air, and Google to fix critical vulnerabilities in Chrome.