The tech world as a whole is still reeling from the OpenSSL vulnerability that was so bad that it was baptized with its own name. Now Microsoft might have an equally terrible, or perhaps even worse, issue in its hands. A bug in its Schannel (short for “Secure channel”) security package could, in theory, allow any hacker to remotely run a program just by sending a specially crafted network packet to a Windows server. To add insult to injury, this security exploit exists in a wide range of Windows version dating back 2003.
To some extent, Schannel is like Microsoft’s OpenSSL in the sense that it is what implements SSL (Secure Sockets Layer) and TLS (Transport Security Layer) for the OS. So it is also ironic, yet not unheard of, that the component in charge of implementing secure communication would become the vehicle for compromising the security of a system.
As with many proprietary software, Microsoft isn’t fully disclosing the nature and extent of the bug. All that it says is that it could allow remote execution of code through packets sent to a Windows server. In some sense, this worse than the “Heartbleed” OpenSSL bug since the latter only exposed communications to eavesdroppers while this Schannel exploit potentially gives attackers control over a system. We say “potential” because Microsoft claims that there has been no known attack that takes advantage of this vulnerability. Now that it has been disclosed though, it could very well just be a matter of time.
The good news is that Microsoft already has a patch available that addresses this problem. There is no other workaround or fix for it other than downloading and applying this patch. The Schannel bug affects several Windows versions, including Windows Server 2003, Windows Vista and Windows Server 2008, Windows 7 and Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2.
There are other security exploits that Microsoft is patching up this month, but the Schannel seems to be the worst of the batch. While the others require that users visit a specially crafted website in order to be compromised, this one can be initiated by an external attacker without any help from the user.