Microsoft's recent SSL patch causes issues - update system remains seriously flawed

An important update Microsoft released last Tuesday fixing a critical vulnerability in Windows can cause issues on some occasions. The affected update is Security Bulletin MS14-066 which patches a vulnerability in Microsoft Secure Channel (Schannel), a default SSL library which Windows uses for  SSL connections. Most Windows software that make secure connections over SSL use Schannel.

myce-microsoft-logo

ADVERTISEMENT

In certain configurations where the encryption protocol TLS 1.2 is enabled by default and a connection over TLS fails, the process can lock,  become unresponsive and display an error message. To solve the issue Microsoft has published a workaround  in which it advises to remove several encryption options from the Windows Registry manually.

According to Johannes Ullrich from the Internet Storm Center Microsoft's communication regarding the issue leaves much to be desired. The company doesn't publish important information on the impact of a possible attack where a certificate is circumvented and also three other vulnerabilities are related to the issue while Microsoft only lists the issue under a single issue causing the problems to be possibly overlooked.

It's also unclear how the issue is discovered, Microsoft has stated the issue was found during an internal audit, while the company also stated an external party discovered the issue. The information is important to know whether the vulnerability has been exploited in the wild.

ADVERTISEMENT

It's not the first time there are issues with Windows updates, earlier this year the company had to withdraw an update to Lync Server, also a major update to Window 8.1 was withdrawn after users could no longer boot into Windows.

No posts to display