Security Windows

Windows Users Beware: You’ve Got A Serious Security Issue

Matthew Hughes 13-11-2014

Running Windows? You should probably run your updates about now. A serious new vulnerability has been confirmed as present in all versions of Windows from Vista onwards which has the potential to let hackers execute their own arbitrary code.


The issue (CVE number CVE-2014-6321) is rated critical by Microsoft, and affected users are being strongly encouraged to update their systems.

Vulnerable versions of Windows include Vista, 7, 8 and 8.1 (both RT and non-RT). Also at risk is Microsoft’s server family of operating systems, including Windows 2003, 2008 and 2012.

Microsoft has issued a patch to fix the issue, currently available to download. There are no known workarounds or mitigation tactics to address this issue.

Curious about how this vulnerability works, and how this impacts you? Read on for more information.

What’s The Bug?

Microsoft Security Channel – Schannel for short – is a package of software used in order to create and use cryptographically secure network connections. This is used whenever you use anything encrypted with SSL or TLS, including when you browse the Internet. It’s incredibly important.



The issue arises when an attacker sends a specially crafted packet to a computer running a vulnerable version of Schannel. This can result in the computer executing arbitrary code written by the attacker, which can perform all kinds of unwanted actions. These could include traffic being hijacked, deployment of malware, or much, much worse.

But most home users shouldn’t be too worried. The threat only really emerges when you have a software package installed which listens on a port for encrypted connections. The most profound impact will be felt in the enterprise world, where many use Windows as a web or FTP server, or to handle logins on their internal network.

Wasn’t There Something Similar For OS X Recently?

Good catch.


The implementation of SSL/TLS on Linux/OS X was found to contain a similar vulnerability just a few months ago. Dubbed ‘heartbleed’ Heartbleed – What Can You Do To Stay Safe? Read More , it allowed attackers to retrieve private SSL keys by sending a specially crafted packet, thus making it possible to surreptitiously intercept network traffic. It even impacted mobile devices Heartbleed Isn't Just a Desktop Problem - Your Android Could Be A Risk Most of us know Heartbleed as a bug that affected websites and web servers, but Android 4.1.1 also uses the vulnerable version of OpenSSL. This means some Android smartphone and tablets are vulnerable to Heartbleed... Read More .

According to Ars Technica, all major implementations of SSL/TLS across all platforms have seen a major vulnerability recently, including OpenSSL, GNUTLS and Apple’s SecureTransport.

However, Microsoft’s vulnerability is arguably more serious, and not just because of the arbitrary code facet.

But What About The XP Users?

Earlier this year, Microsoft discontinued offering security updates What The Windows XPocalypse Means For You Microsoft is going to kill support for Windows XP in April 2014. This has serious consequences for both businesses and consumers. Here is what you should know if you are still running Windows XP. Read More for computers running Windows XP.


Consumers have been strongly advised to upgrade to a supported version of Windows, yet almost 17% of all computers connected to the internet still to this day run Windows XP. Although incredibly dated, many are sticking to their old, tried-and-tested XP machines. Some can’t move away from it even if they wanted to, due to compatibility issues in legacy software.


Microsoft has not tested this vulnerability against XP, and has not conclusively stated whether users of the aged operating system are at risk. However, Windows XP shares a number of packages and libraries in common with newer versions of Windows. Furthermore, Windows 2003 is known to be affected, which was released close to XP.

Either way, XP users should be especially wary of this vulnerability, but they certainly shouldn’t expect to see a patch any time soon.


How Can I Secure My Computer?

For those running a supported version of Windows, the fix is laughably easy.

Just run your security updates. Honestly, that’s it. Unlike HeartBleed, a patch has been issued at the same time of the vulnerability being disclosed. This is largely due to Microsoft’s well established engagement with the security community.


If you’re running Windows XP, there’s only really one option. Ditch it.

These types of security issues will only continue to crop up, and you will remain horribly insecure. If you want to move to a more modern version of Windows, it’s still possible to get a Windows 7 license quite easily Microsoft Retires Windows 7: This Is How You Can Still Get A Copy Windows 7 Home and Ultimate editions have been retired. If you want to get a computer without Windows 8.1, your options are limited. We have compiled them for you. Read More , even though Microsoft has officially discontinued sales. If you want something even closer to the cutting edge, there’s always Windows 8/8.1 The Windows 8 Guide This Windows 8 guide outlines everything new about Windows 8, from the tablet-like start screen to the new "app" concept to the familiar desktop mode. Read More , which can even be made to look like Windows 7 How to Make Windows 8 or 8.1 Look Like Windows 7 or XP Is Windows 8 too modern for your taste? Maybe you prefer a retro look. We show you how to resurrect the Start menu and install classic Windows themes on Windows 8. Read More with a bit of tweaking.

And if nothing else, Linux remains a pretty decent option. My colleague, Danny Steiben, has categorized the best Linux distributions The Best Linux Distributions For Windows XP Refugees Read More for Windows XP refugees, whilst Matt Smith thinks you should just get a Macbook Air Windows XP Refugees: Have You Considered A MacBook Air Yet? Users of Windows XP (and, to a lesser extent, Windows Vista and 7) have an unhappy upgrade path ahead of them. Maybe it's time to ditch Windows entirely and pick up a MacBook Air instead. Read More . Whatever you choose, it’ll be significantly more secure than what you have now.

Get Secure

This bug is a doozy, don’t get me wrong. With that said, Microsoft should be commended for how they handled this serious issue. They were able to work with the security researchers who discovered the vulnerability, and were able to issue a patch in a timely manner. This patch you can, and should, install right now through your updates manager.

Do you have any thoughts on this vulnerability? Tell me about it. Comments section is below.

Photo Credits: Safety concept (Maksim Kabakou), Protection concept (Maksim Kabakou), https (Pavel Ignatov)Green hills, blue sky (Francesco R. Iacomino)

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. soltan ahmad rahimi
    December 6, 2014 at 1:22 pm


  2. an0n1m0us
    November 23, 2014 at 10:28 am

    XP users get a patch for this via POSReady if they've chosen that option.

  3. Kyle
    November 15, 2014 at 1:45 pm

    (3) Things

    1. Two weeks ago there were multiple articles claiming XP dropped by 8% from 25% to 17% in a month. Later this was retracted as a "flaw" in their calculations but the damage was done already.

    2. Now we have this "security issue" of which XP won't be patched.

    3. All this right before the release of windows 10.

    Either I am a conspiracy theorist or MS is really trying to kill XP before the release of windows 10 by circulating false stories.

  4. John Walsh
    November 15, 2014 at 11:31 am

    Looks to me like a plot to to kick us up from Windows XP. If computers were meant to make life easier why do we end up feeling so helpless? We have fallen into the hands of an industry which has a vested interest in keeping us jumpy.

  5. clefft
    November 15, 2014 at 4:49 am

    Wow do you ( none of you're business )have a twisted view of technology.But serious xp was a dog.Glad windows has moved on from that monstrosity of an operating system

    • Clonkex
      November 27, 2014 at 2:17 am

      XP was by far the most popular OS in the world for many years, and I was one of those users. What makes you say it was a dog? It was brilliant and definitely wasn't a monstrosity. It was considerably faster and more reliable than any previous version of Windows.

    • Keith Rulli
      December 3, 2014 at 10:00 pm

      ha ha ha ha. good comeback, made me chuckle even with a 102 degree fever

  6. NoneOfYourBusiness
    November 14, 2014 at 9:36 pm

    Why does my new WIndows 7 keep loosing established "Sytem Restore" points; they disappear every few days. I got pissed at Lenovo G70 laptop Less than 1.5 years old; now smashed & in garbage) because the damn Restore would not work, Bluetooth connected to the network card (2-n-1). I uninstalled the bluetooth drivers and reinstalled and the network card quit working, then Lenovo's One Key Recovery would not work, then the WIndows 7 disc that I got from Lenovo would not allow for a reimage - so I shit-canned the damn thing. WIndows 8.XX sucks and WIndows 10 is already shaping up to be a disaster....Microsoft, Qualcom, Oracle, Google are all viruses in and of themselves. Wait till 2015 when the Internet Freedom Act, which is always the antithesis to the actual name of the bill passes...the Nazi's never left; just took over the world via technology and wars on multiple fronts.

    • Karl-Heinz
      November 15, 2014 at 5:10 am

      I wonder why you haven't considered to use a Mac - then you would not have curious problems.

  7. NoneOfYourBusiness
    November 14, 2014 at 9:28 pm

    People use XP because it works better than those that followed afterward!!

    • Col. Panek
      November 15, 2014 at 1:54 am

      Us newly-converted Linux users feel your pain.

      Well, used to feel your pain, anyhow.

  8. Kevin Dethlefs
    November 14, 2014 at 6:05 am

    Recently I had Windows 10 Tech Preview reboot (and reinitialize my account) for no apparent reason. I wonder if this is why. Was kind of annoying, but I wasn't using it at the time. Was trying to use it shortly after, where it got stuck at 77% of the setup process. Just let it run overnight and it was good.

    • NoneOfYourBusiness
      November 14, 2014 at 9:37 pm

      Another VISTA monster ahead.

    • Kevin Dethlefs
      November 14, 2014 at 9:44 pm

      Considering your other replies you're clueless. I like Windows ten. It's very well put together overall considering it's a tech preview.

  9. dragonmouth
    November 13, 2014 at 10:42 pm

    "Unlike HeartBleed, a patch has been issued at the same time of the vulnerability being disclosed."
    You make it sound like Heartbleed still isn't been fixed. Nothing can be further from the truth. As part of the Heartbleed vulnerability announcement, all SSL users were advised to immediately download a new, non-vulnerable version.

    There may be some instances of the vulnerable SSL still around, just as there are unsupported versions of Windows because people won't or can't upgrade.

    • CityguyUSA
      November 15, 2014 at 3:06 am

      It was largely servers affected by the Heartbleed bug and there are millions of servers running SSL under Linux. There's no guarantee that these servers have been patched.

      Makes me wonder why we the software industry is held harmless for all the danger they've exposed the population too and all the expense they've caused and yet they go merrily along there way with no chance of litigation.

    • Bruce E
      November 16, 2014 at 6:27 am

      Let's see, Heartbleed was discovered in March IIRC and disclosed in April. At the end of June there were still more than 300K servers that hadn't been patched. Well, that's not exactly true because that number includes the 60K or so previously unaffected servers that were added because they were updated to vulnerable versions of OpenSSL. At the end of August that number was virtually unchanged. Those numbers are only indicating the servers that are using vulnerable versions of OpenSSL. It does not include those that patched the software but did nothing about their keys and certificates which is part of the total remediation process.

      Just because people were advised to do something to fix the problem does not mean they did it or they did it properly.