Critical Schannel Vulnerability – MS14-066

Not So Happy Security WidgetIn the November 2014 security bulletin there were 14 updates released.  The updates resolved security issues in IE, OLE and Schannel.  It is the latter that is worth calling out for attention since this is the basis of the Microsoft implementation of SSL. Exchange makes heavy use of SSL, and is typically connected to the Internet.

You can read about the other security details in the security bulletin summary.  CVE also has an entry for the issue.

MS14-066 / MS014-066 is pernicious for several reasons:

  • It applies to all supported versions of Windows from Vista to  2012 R2
  • Server core is affected (though Exchange is not supported on server core)
  • There are no Microsoft workarounds
  • There are no Microsoft mitigating factors
  • To mitigate the risk you must patch
  • The vulnerability allows remote code execution.

Update 16-11-2014:  KB 2992611 has information on known issues.

Update 18-11-2014: V2 of the bulletin was released.  Details from the update:

Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611
update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information


As of writing, the MSRC and other security assets do not report that there attacks in the wild since the issue was responsibly disclosed to Microsoft. However it is only a matter of time….

Call To Action

Test, Validate And Install this update ASAP

There are other security issues also resolved by this month’s security releases.  For example in TCP/IP which is MS14-070 / MS014-070.  The TCP/IP vulnerability is an elevation of privilege, whereas the Schannel vulnerability allows remote code execution.

Both are not good, so please let’s get our servers patched and protected!



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *