WinShock explained

Type:Exploit (from bug)
Common Name:WinShock
Technical Name:MS14-066
Oses:Windows Server 2003, Windows Server 2008, Windows Server 2008 R2,, Windows Server 2012, Windows Server 2012 R2, Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1
Exploits:Certificate Verification Bypass, Buffer Overflow, Remote Code Execution
Isolation Date:May 2014

WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution.[1] The exploit was discovered in May 2014 by IBM, who also helped patch the exploit.[2] The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1[3]

Details

WinShock exploits a vulnerability in the Windows secure channel (SChannel) security module that allows for remote control of a PC through a vulnerability in SSL, which then allows for remote code execution.[4] With the execution of remote code, attackers could compromise the computer completely and gain complete control over it.[5] The vulnerability was given a CVSS 2.0 base score of 10.0, the highest score possible.[6]

The attack exploits a vulnerable function in the SChannel module that handles SSL Certificates.[7] A number of Windows applications such as Microsoft Internet Information Services use the SChannel Security Service Provider to manage these certificates and are vulnerable to the attack.[8]

It was later discovered in November 2014 that the attack could be executed even if the ISS Server was set to ignore SSL Certificates, as the function was still ran regardless. Microsoft Office,[9] and Remote Desktop software in Windows could also be exploited in the same way, even though it did not support SSL encryption at the time.[10]

While the attack is covered by a single CVE, and is considered to be a single vulnerability, it is possible to execute a number of different and unique attacks by exploiting the vulnerability including buffer overflow attacks as well as certificate verification bypasses.[11]

Responsibility

The exploit was discovered and disclosed privately to Microsoft in May 2014 by researchers in IBM's X-Force team who also helped to fix the issue. It was later disclosed publicly on 11 November 2014, with a proof-of-concept released not long after.[12]

See also

External links

Notes and References

  1. Web site: MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 - Microsoft Support . 2024-04-28 . support.microsoft.com.
  2. Web site: WinShock: A 19-year-old bug . 2024-04-28 . www.eset.com . en-GB.
  3. Web site: Microsoft patches 19-year-old Windows bug . 2024-06-16 . CNET . en.
  4. Book: Mayer . Wilfried . Zauner . Aaron . Schmiedecker . Martin . Huber . Markus . No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large . 2016-08-31 . 2016 11th International Conference on Availability, Reliability and Security (ARES) . https://ieeexplore.ieee.org/document/7784551 . 10–20. 10.1109/ARES.2016.11 . 978-1-5090-0990-9 . 1510.08646 .
  5. Web site: CERT/CC Vulnerability Note VU#505120 . 2024-06-16 . www.kb.cert.org.
  6. Web site: NVD - CVE-2014-6321 . 2024-06-16 . nvd.nist.gov.
  7. Web site: Czumak . Mike . 2014-11-29 . Exploiting MS14-066 / CVE-2014-6321 (aka "Winshock") . 2024-06-16 . Security Sift . en-US.
  8. Web site: Triggering MS14-066 BeyondTrust Blog . 2024-06-16 . BeyondTrust . en.
  9. News: 2014-11-12 . Microsoft fixes '19-year-old' bug with emergency patch . 2024-06-16 . BBC News . en-GB.
  10. Web site: Hutchins . Marcus . 2014-11-19 . How MS14-066 (CVE-2014-6321) is More Serious Than First Thought – MalwareTech . 2024-06-16 . malwaretech.com . en.
  11. Web site: Group . Talos . 2014-11-11 . Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities . 2024-06-16 . Cisco Blogs . en-US.
  12. Web site: Leyden . John . WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed . 2024-06-16 . www.theregister.com . en.