One vulnerability, CVE-2014-6332, had been remotely exploitable for 18 years prior to its patch, and could be used by an attacker to circumvent Microsoft's free anti-exploitation tool EMET and its Enhanced Protected Mode (EPM) sandbox in Internet Explorer 11 to carry out drive-by attacks.
The other bug, CVE-2014-6321, impacts the Windows Secure Channel (Schannel) security package, technology that implements SSL and TLS secure communications protocols. On Wednesday, researchers at Rapid7 noted that, while the Schannel bug shouldn't be quickly likened to Heartbleed or Bash bug in the security risk it poses, the vulnerability should be patched across all clients and servers “as soon as possible.”
According to Microsoft, its patch corrects the way Schannel “sanitizes specially crafted packets.” Without the fix in place, however, a remote attacker could exploit the vulnerability to run arbitrary code on a targeted server.
“We have seen this vulnerability being compared to Heartbleed and want to dispel some of the myths floating around,” Josh Feinblum, vice president of information security at Rapid7, wrote in the blog post. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities. Heartbleed, Bash bug, and Sandworm are all security risks that were being actively exploited in the wild upon their publication, and exploitation was relatively trivial. Additionally, sufficient remediation via patching was not readily available at the same time when some of these risks were publicly disclosed,” he continued.
While it may not have reached Heartbleed status, the patch should be top of mind, Feinblum said, since SChannel allows secure communications on a number of Microsoft products, including Active Directory, Internet Information Services (ISS), Exchange, IE and Windows Update.
The other bug gaining the attention of security experts, CVE-2014-6332, was designated by Microsoft as a “Windows OLE automation Array Remote Code Execution Vulnerability” on Patch Tuesday. That day, IBM X-Force Research manager Robert Freeman detailed the issue on the company's Security Intelligence blog, noting that the bug impacts every version of Microsoft Windows since Windows 95.
He revealed that the vulnerability has been around for nearly two decades.