Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Waste no time patching Windows Schannel, OLE bugs, experts warn

Two critical bugs, both residing in Microsoft Windows, received a Patch Tuesday update this week – but the security community is chiming in to urge users to waste no time implementing these fixes.  

One vulnerability, CVE-2014-6332, had been remotely exploitable for 18 years prior to its patch, and could be used by an attacker to circumvent Microsoft's free anti-exploitation tool EMET and its Enhanced Protected Mode (EPM) sandbox in Internet Explorer 11 to carry out drive-by attacks.

The other bug, CVE-2014-6321, impacts the Windows Secure Channel (Schannel) security package, technology that implements SSL and TLS secure communications protocols. On Wednesday, researchers at Rapid7 noted that, while the Schannel bug shouldn't be quickly likened to Heartbleed or Bash bug in the security risk it poses, the vulnerability should be patched across all clients and servers “as soon as possible.”

According to Microsoft, its patch corrects the way Schannel “sanitizes specially crafted packets.” Without the fix in place, however, a remote attacker could exploit the vulnerability to run arbitrary code on a targeted server.

“We have seen this vulnerability being compared to Heartbleed and want to dispel some of the myths floating around,” Josh Feinblum, vice president of information security at Rapid7, wrote in the blog post. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities. Heartbleed, Bash bug, and Sandworm are all security risks that were being actively exploited in the wild upon their publication, and exploitation was relatively trivial.  Additionally, sufficient remediation via patching was not readily available at the same time when some of these risks were publicly disclosed,” he continued.

While it may not have reached Heartbleed status, the patch should be top of mind, Feinblum said, since SChannel allows secure communications on a number of Microsoft products, including Active Directory, Internet Information Services (ISS), Exchange, IE and Windows Update.

The other bug gaining the attention of security experts, CVE-2014-6332, was designated by Microsoft as a “Windows OLE automation Array Remote Code Execution Vulnerability” on Patch Tuesday. That day, IBM X-Force Research manager Robert Freeman detailed the issue on the company's Security Intelligence blog, noting that the bug impacts every version of Microsoft Windows since Windows 95.

He revealed that the vulnerability has been around for nearly two decades.

“Looking at the original release code of Windows 95, the problem is present,” Freeman wrote. “With the release of IE 3.0 [in 1996], remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32),” he said.

Microsoft fixed the bug Tuesday with its top bulletin MS14-064, but Freeman reinforced that it could be used by an attacker for drive-by attacks “to reliably run code remotely and take over the user's machine,” bypassing Microsoft protections, like the widely used EMET anti-exploitation tool and the Enhanced Protected Mode (EPM) sandbox in IE 11.

There are currently no reports of the bug being exploited in the wild as such a feat would be “tricky,” Freeman explained, detailing a number of factors that make exploitation difficult, including the fact that array elements are a fixed sized.

In a follow up interview with SCMagazine.com, Freeman said Wednesday that the OLE bug falls in a class of data manipulation bugs that is “very interesting.”

“The reliability of exploitation of the bug that I disclosed is exceptionally high. It's really hard to conceptually come up with exploitation scenarios for the bug I disclosed, but once you have that, it becomes very formulaic,” he said, adding that for an attacker, “the same VBScript code will cause the exact same outcome all of the time.”

He added that organizations should promptly employ the patch, especially since users often underestimate their use of IE.

“Often users claim they don't use Internet Explorer, but for corporate users there's usually something that necessitates the use of IE either for legacy reasons or [another functionality]. You could still find yourself in a situation where you have forgotten to switch to a more secure environment,” Freeman said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.