Running Windows? You should probably run your updates about now. A serious new vulnerability has been confirmed as present in all versions of Windows from Vista onwards which has the potential to let hackers execute their own arbitrary code.
The issue (CVE number CVE-2014-6321) is rated critical by Microsoft, and affected users are being strongly encouraged to update their systems.
Vulnerable versions of Windows include Vista, 7, 8 and 8.1 (both RT and non-RT). Also at risk is Microsoft’s server family of operating systems, including Windows 2003, 2008 and 2012.
Microsoft has issued a patch to fix the issue, currently available to download. There are no known workarounds or mitigation tactics to address this issue.
Curious about how this vulnerability works, and how this impacts you? Read on for more information.
What’s The Bug?
Microsoft Security Channel – Schannel for short – is a package of software used in order to create and use cryptographically secure network connections. This is used whenever you use anything encrypted with SSL or TLS, including when you browse the Internet. It’s incredibly important.
The issue arises when an attacker sends a specially crafted packet to a computer running a vulnerable version of Schannel. This can result in the computer executing arbitrary code written by the attacker, which can perform all kinds of unwanted actions. These could include traffic being hijacked, deployment of malware, or much, much worse.
But most home users shouldn’t be too worried. The threat only really emerges when you have a software package installed which listens on a port for encrypted connections. The most profound impact will be felt in the enterprise world, where many use Windows as a web or FTP server, or to handle logins on their internal network.
Wasn’t There Something Similar For OS X Recently?
The implementation of SSL/TLS on Linux/OS X was found to contain a similar vulnerability just a few months ago. Dubbed ‘heartbleed’, it allowed attackers to retrieve private SSL keys by sending a specially crafted packet, thus making it possible to surreptitiously intercept network traffic. It even impacted mobile devices.
According to Ars Technica, all major implementations of SSL/TLS across all platforms have seen a major vulnerability recently, including OpenSSL, GNUTLS and Apple’s SecureTransport.
However, Microsoft’s vulnerability is arguably more serious, and not just because of the arbitrary code facet.
But What About The XP Users?
Earlier this year, Microsoft discontinued offering security updates for computers running Windows XP.
Consumers have been strongly advised to upgrade to a supported version of Windows, yet almost 17% of all computers connected to the internet still to this day run Windows XP. Although incredibly dated, many are sticking to their old, tried-and-tested XP machines. Some can’t move away from it even if they wanted to, due to compatibility issues in legacy software.
Microsoft has not tested this vulnerability against XP, and has not conclusively stated whether users of the aged operating system are at risk. However, Windows XP shares a number of packages and libraries in common with newer versions of Windows. Furthermore, Windows 2003 is known to be affected, which was released close to XP.
Either way, XP users should be especially wary of this vulnerability, but they certainly shouldn’t expect to see a patch any time soon.
How Can I Secure My Computer?
For those running a supported version of Windows, the fix is laughably easy.
Just run your security updates. Honestly, that’s it. Unlike HeartBleed, a patch has been issued at the same time of the vulnerability being disclosed. This is largely due to Microsoft’s well established engagement with the security community.
If you’re running Windows XP, there’s only really one option. Ditch it.
These types of security issues will only continue to crop up, and you will remain horribly insecure. If you want to move to a more modern version of Windows, it’s still possible to get a Windows 7 license quite easily, even though Microsoft has officially discontinued sales. If you want something even closer to the cutting edge, there’s always Windows 8/8.1, which can even be made to look like Windows 7 with a bit of tweaking.
And if nothing else, Linux remains a pretty decent option. My colleague, Danny Steiben, has categorized the best Linux distributions for Windows XP refugees, whilst Matt Smith thinks you should just get a Macbook Air. Whatever you choose, it’ll be significantly more secure than what you have now.
This bug is a doozy, don’t get me wrong. With that said, Microsoft should be commended for how they handled this serious issue. They were able to work with the security researchers who discovered the vulnerability, and were able to issue a patch in a timely manner. This patch you can, and should, install right now through your updates manager.
Do you have any thoughts on this vulnerability? Tell me about it. Comments section is below.