Winshock a forever day vulnerability
Microsoft has released a patch for the Secure Channel (or SChannel) vulnerability (CVE-2014-6321). This bug has been around since the release of Windows 95; it was first detected in May 2014. Affected systems are Windows servers and workstations.
Secure Channel is the Windows implementation of SSL and TLS; it is used to secure communication channels in Windows. The vulnerability could allow an attacker to run malicious code on a Windows server. The vulnerability has been dubbed Winshock; it is reminiscent of the Heartbleed vulnerability uncovered earlier in 2014.
Heartbleed was a vulnerability in OpenSSL that enabled attackers to gain access to the memory of vulnerable systems by using arbitrary strings. Under certain circumstances it could allow an attacker to steal information including login credentials and private keys.
As with the Shellshock vulnerability, this flaw has been undiscovered for an extended time period; 19 years in this case. The Shellshock bash exploit is estimated to have been introduced 25 years ago. There is a possibility that other long standing bugs may yet be discovered.
Whilst no exploits currently exist, Microsoft expects that exploits will be developed. Microsoft has not released all details of the exploit; there has been speculation that any browser connecting to a web site is potentially vulnerable, unless the patch is applied.
A sub text to the vulnerability is that several older versions of Windows will not have patches released, due to them being out of support. Aside from Windows XP, Windows NT and Windows 2000 are also unsupported by Microsoft. These three Windows versions are likely to become prime targets for any exploits developed.
This will place organisations in a quandary, as many will have older unsupported versions of Windows running. Larger organisations may struggle, as many may have old unsupported versions of Windows that have been forgotten, but are still on the network. This will mean a potential backdoor into an organisation. Irrespective, organisations will need to identify and patch vulnerable systems, whilst removing or replacing older Windows versions that cannot be patched.
The fact that patches won’t be made available for Windows XP, NT or 2000 has led some to call the Winshock vulnerability the first “forever day” vulnerability.