Type: | Exploit (from bug) |
Common Name: | WinShock |
Technical Name: | MS14-066 |
Oses: | Windows Server 2003, Windows Server 2008, Windows Server 2008 R2,, Windows Server 2012, Windows Server 2012 R2, Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1 |
Exploits: | Certificate Verification Bypass, Buffer Overflow, Remote Code Execution |
Isolation Date: | May 2014 |
WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution.[1] The exploit was discovered in May 2014 by IBM, who also helped patch the exploit.[2] The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1[3]
WinShock exploits a vulnerability in the Windows secure channel (SChannel) security module that allows for remote control of a PC through a vulnerability in SSL, which then allows for remote code execution.[4] With the execution of remote code, attackers could compromise the computer completely and gain complete control over it.[5] The vulnerability was given a CVSS 2.0 base score of 10.0, the highest score possible.[6]
The attack exploits a vulnerable function in the SChannel module that handles SSL Certificates.[7] A number of Windows applications such as Microsoft Internet Information Services use the SChannel Security Service Provider to manage these certificates and are vulnerable to the attack.[8]
It was later discovered in November 2014 that the attack could be executed even if the ISS Server was set to ignore SSL Certificates, as the function was still ran regardless. Microsoft Office,[9] and Remote Desktop software in Windows could also be exploited in the same way, even though it did not support SSL encryption at the time.[10]
While the attack is covered by a single CVE, and is considered to be a single vulnerability, it is possible to execute a number of different and unique attacks by exploiting the vulnerability including buffer overflow attacks as well as certificate verification bypasses.[11]
The exploit was discovered and disclosed privately to Microsoft in May 2014 by researchers in IBM's X-Force team who also helped to fix the issue. It was later disclosed publicly on 11 November 2014, with a proof-of-concept released not long after.[12]