MS14-066 is a critical security update for Windows servers – patch as soon as possible

Yesterday (11-Nov-2014) was patch Tuesday and Microsoft released 14 security bulletins.  As is typical, each bulletin describes one or more vulnerabilities in one or more Microsoft products. One of these bulletins, MS14-066, looks to be extraordinarily important as it describes a vulnerability that can be exploited by a malicious actor simply by sending carefully designed packets across the network.  Successful exploitation would allow the attacker to execute code on the target.

Most security vulnerabilities require that the victim take some action such as visiting a malicious website in order to be put at risk.  The vulnerability described in MS14-066 is different as the target system can be compromised by an attacker without a user or administrator taking action.  Moreover, the vulnerable component (schannel) is widely used to secure connections to Windows systems including remote desktop logins, encrypted web traffic and other transactions.  In short, there appears to be no workaround that could be used to prevent exposure of this vulnerability.

SANS recommends prioritizing the updates for MS14-066 and applying them as soon as possible – certainly within the next week.  The systems at most risk will be Windows servers that accept connections from the Internet (e.g. web servers, remote application servers etc.), laptops etc. that travel outside the confines of the corporate network (especially if Remote Desktop has been enabled).  In addition, it is important to remember that malware infected Windows client systems typically download updates on a regular basis.  We expected that as reliable exploits are developed for MS14-066 these will be incorporated into malware and will be used to try and compromise vulnerable systems within corporate networks.

The bottom line: patch external facing systems but then move on and patch internal systems as soon as possible.  Cleartech Solutions managed services clients have been alerted and update deployment plans finalized.

Update: ZDNet and Ars Technica both have good articles describing MS14-066 and the urgency around patching it.