All recent versions of Windows include a serious bug in the ssl/tls software, Microsoft has announced. The bug allows an attacker to run code of their by prepared packets to a server to send.
Microsoft has very few details published about the bug, other than that the attacker’s own code can be run by the prepared packets to a server to send. It is not clear what rights an attacker’s own code can run. May depend on the rights of the process to which the packets are sent. If an attacker does not have administrative permissions, it would be he who can obtain by using a different vulnerability.
Microsoft has its own traditional patchronde on the second Tuesday of the month a patch rolled out for the bug. According to the software giant, there are no indications that the bug in the practice is abused. A beveiligingsonderzoeker has the leak been discovered. Now the vulnerability is otherwise in the public domain, it is likely that attackers will try to exploit.
The ssl/tls implementation of Microsoft, Schannel, is the latest major ssl/tls implementation that this year, with a vulnerability it faces. Previously struggled with the implementation of Apple with the goto fail bug, causing the contents of ssl traffic was in to see, and it was via the Heartbleed bug in OpenSSL the internal memory of a web server to be read. Chrome and Firefox accept further fake ssl-certificates, while GnuTLS twice this year lek was.
Comments
(91)