back to article WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed

Security researchers have released a proof-of-concept exploit against the SChannel crypto library flaw patched by Microsoft last week. The release of a PoC for the MS14-066 vulnerability through the Canvas tool from Immunity Inc underlines the need to patch. The flaw opens the door to remote code execution on unpatched …

  1. Conrad Longmore

    Easier to patch?

    Easier to patch in most cases, although reportedly there are issues with some systems that rely on TLS 1.2 connections.

    Also, this is a remote code execution flaw, so if it does get exploited it has a far worse impact that Heartbleed.

    1. DanDanDan

      Re: Easier to patch?

      Agreed - Remote execution is much, much worse.

      In addition, I find the line "Proof of concept released" followed by "Exploit will be hard to achieve", slightly odd.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easier to patch?

      I agree. This "article" smacks of spin.

      Let's put it into technical terms:

      Heartbleed: Random data leak affecting https web servers using a common library.

      Shellshock: Remote execution on some servers, depending on how the application was written.

      SChannel: Remote execution affecting every server and client of the whole product range. Requires a reboot to patch.

      1. John Sanders
        Linux

        Re: Easier to patch?

        Obviously lots of white washing like anything MS these days

    3. Vic

      Re: Easier to patch?

      Easier to patch in most cases

      No, I don't get that at all.

      Heartbleed was a very serious bug, but it was *trivial* to patch. Mind-numbingly simple.

      The SChanell bug can only be, at best, as easy to patch as Heartbleed - and that implies that you have the source to patch (i.e. you are Microsoft).

      Vic.

      1. foxyshadis

        @Vic

        In what world is source patching the only form of patching? Barring a catastrophe, Windows Update is two clicks and forget. OpenSSL can be that simple if it was delivered as part of your OS, but it turned out that it was also statically built into many applications, it was a large part of many unsupported or never-updated networking appliances, long with the necessary extra work to get custom installs working.

        If you ever look into it, I think you'll find that building a copy of DD-WRT is significantly more painful than changing one line of code, despite having the source. Then come back about how trivial it is.

        1. Vic

          Re: @Vic

          In what world is source patching the only form of patching?

          Ultimately, it is pretty much the only form of patching - veyr few people still do direct hex-editing these days...

          Windows Update is two clicks and forget.

          Ah. So getting someopne else to do your pathcing is easy. Well, it's just as easy in any environment where you can pull down someone else's code. That's my "at best, as easy to patch as Heartbleed" comment - if all you're doing is pulling down someone else's binaries, there is no difference whatsoever in ease of correction (thus proving the original statement of the SChannel bug being "[e]asier to patch in most cases" entirely incorrect).

          But if you don't *have* someone else's binaries, Heartbleed is still trivial to patch, whereas SChannel is not. Thus proving the original statement of the SChannel bug being "[e]asier to patch in most cases" entirely incorrect.

          If you ever look into it, I think you'll find that building a copy of DD-WRT is significantly more painful than changing one line of code, despite having the source. Then come back about how trivial it is.

          Got a patch for Windows XP? Nope, of course you haven't. Patching is much harder if you get no support from upstream. But if you've got an old copy of - as per your example - DD-WRT with the Heartbleed bug, you can still patch it...

          Vic.

    4. Michael Wojcik Silver badge

      Re: Easier to patch?

      reportedly there are issues with some systems that rely on TLS 1.2 connections

      The SChannel update included a bunch of behavior changes - it didn't just patch this hole. For example, SChannel no longer includes the Supported Points Format Extension in its ServerHello message (reported by Mounir Idrassi on OpenSSL-Users). This is allowed by the protocol, but it's had the effect of breaking interoperability with at least OpenSSL prior to 1.0.1c for ECC suites.

      There seem to be a number of changes that have similarly broken interoperability with other implementations that aren't fully standards-conforming, for the less-used suites. So expect some issues following the fix.

  2. Slartybardfast

    Strange

    I've just listened to the last Security Now podcast in which Steve Gibson acted like Chicken Little. Now Steve is sometimes prone to histrionics but after listening to his reasoning he did make some valid points. This certainly has the potential to be worse than Heartbleed or Poodle. I suggest anyone interested has a listen.

  3. InfoSecLuke

    Wake Up Call

    It was only a matter of time before the patch was reverse engineered and an exploit found for the vulnerability.

    Thankfully the industry had a little more lead time on this one in terms of patching systems before the PoC emerged. Well, at least compared to Heartbleed and Shellshock.

    No doubt however we'll still be finding this vulnerability in penetration test for years to come. I mean I still regularly find ms08-067 at some client sites.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019