

Microsoft fixes '19-year-old' bug with emergency patch - makphir
http://www.bbc.com/news/technology-30019976

======
fname
> Specifically, it related to Microsoft Secure Channel, known as Schannel,
> Microsoft's software for implementing secure transfer of data.

I'm confused... The article says this research relates to the SChannel
vulnerability being patched this month and cites IBM Researchers[1] finding
it, but the link to the blog post showing the work is towards OLE and not
SChannel. Also, Microsoft has mentioned that they found[2] the SChannel
vulnerability through an internal audit. To me, it seems the research is
talking about CVE-2014-6332[3], which shows the patch as MS14-064. MS14-066 is
the patch for the SChannel vulnerability.

Either BBC is confused on which patch they're trying to report on, or I am.

Anyone similarly confused as I am?

[1] [http://securityintelligence.com/ibm-x-force-researcher-
finds...](http://securityintelligence.com/ibm-x-force-researcher-finds-
significant-vulnerability-in-microsoft-windows/#.VGNiR2MhDwB)

[2]
[http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-...](http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-
risk-for-the-november-2014-security-updates.aspx)

[3]
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-633...](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332)

~~~
thefreeman
I think the BBC reporter likely got confused. However it seems
[http://securityintelligence.com/ibm-x-force-researcher-
finds...](http://securityintelligence.com/ibm-x-force-researcher-finds-
significant-vulnerability-in-microsoft-windows/#.VGNke_nF8wJ) _is_ a blog post
about a 19 year old remotely exploitable bug being fixed recently, so it seems
like if anything the link should go there.

~~~
fname
Completely agree, maybe the mods can fix the link.

------
rikkus
BBC technology reporting at its usual standard.

"In computer security, a drive-by attack typically means making users download
malicious software."

That's really not clear. It means that you'll get infected by simply passing
by [a website] rather than actively doing anything.

~~~
MichaelApproved
While its good to point out errors in the article, It'd be helpful to include
the correction as well.

 _A 'drive-by-download' attack is a malware delivery technique that is
triggered simply because the user visited a website. Traditionally, malware
was only 'activated' as a result of the user proactively opening an infected
file (for example, opening an email attachment or double clicking on an
executable that had been downloaded from the Internet)._

Source:
[https://www.comodo.com/resources/home/newsletters/nov-10/ask...](https://www.comodo.com/resources/home/newsletters/nov-10/ask-
geekbuddy.php)

------
72deluxe
Confused BBC.

[https://technet.microsoft.com/library/security/MS14-066](https://technet.microsoft.com/library/security/MS14-066)

[https://technet.microsoft.com/library/security/ms14-064﻿](https://technet.microsoft.com/library/security/ms14-064﻿)

Full list of updates:
[https://technet.microsoft.com/library/security/ms14-nov](https://technet.microsoft.com/library/security/ms14-nov)

Of significant importance too are the Flash Player updates released:
[http://helpx.adobe.com/security/products/flash-
player/apsb14...](http://helpx.adobe.com/security/products/flash-
player/apsb14-24.html)

~~~
shashikant52004
I agree with flash player update.. seems all (flash) video players on IE8
stopped working now.

------
userbinator
Reminds me of this one...
[http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability](http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability)

Another long-lived bug that someone finally managed to discover and exploit.

I wonder if it's related to this one 4 years ago:
[http://www.cvedetails.com/cve/CVE-2010-2566/](http://www.cvedetails.com/cve/CVE-2010-2566/)

------
giancarlostoro
So if this really goes back that far, I would hate to be anyone using Windows
XP.

~~~
danielweber
XP is 13 years old.

When the Blaster worm hit in 2003, the Unix people laughed, because they were
immune. The Morris worm was ancient history, because it had been 15 years
since that hit.

XP is almost ancient history. You shouldn't be running it, any more than you
should've been running something vulnerable to the Morris worm in 2003.

 _edit_ 'omh makes a good point below

~~~
k-mcgrady
You shouldn't be running it but a hell of a lot of people and businesses still
are. And MS is to blame IMO. The continued extending support, they screwed up
with Vista and after making things right with Windows 7 screwed up again
(although no where nearly as badly as with Vista) with Windows 8.

I also know of people running XP because it's incredibly stable now and they
don't see anything in newer versions of Windows they really want or need.

~~~
easytiger
The pace of change in big orgs mean it takes 2-3 years to implement a change
like xp->win 7. When you have 100k employees and regulatory hell and have
outsourced every last bit of everything you are pretty fucked.

~~~
custardcream
If you think that's bad, try the NHS in the UK. Its the largest organisation
in the world with 1.4M employees (!). They've been rolling windows 7 out for 4
years. It'll be obsolete when they've finished.

~~~
baha_man
..."the NHS in the UK. Its the largest organisation in the world with 1.4M
employees..."

It's big, but it's not that big, fifth or sixth largest employer in the world
according to Wikipedia:

[http://en.wikipedia.org/wiki/List_of_largest_employers#Large...](http://en.wikipedia.org/wiki/List_of_largest_employers#Largest_public_and_private_employers_in_the_World)

~~~
custardcream
Ok I'm a bit off there. My data was from 2009 :)

Plus DoD is several branches so that's a bit of a push.

------
Robin_Message
We upgraded to this, only to find it activates some new encryption modes (4
new GCM suites) that don't seem to function properly for us. Anyone else seen
that issue?

(Technical details: If the client offer one of the suites, the server is
accepting it in the ServerHello, but then RSTing the connection after the
client sends their encrypted handshake, and the event log says "none of the
cipher suites supported by the client application are supported by the
server". Browser and curl don't use that suite, but Amazon ELB does.)

~~~
duckhead814
Yes, all of our AWS EC2 Windows instances sitting behind an ELB with the
latest AWS Security Protocols will not communicate with the ELB after this
update.

I was able to fix this by reconfiguring the available cipher suites within
IIS. Downloaded the IIS Crypto tool
[https://www.nartac.com/Products/IISCrypto/Default.aspx](https://www.nartac.com/Products/IISCrypto/Default.aspx)
and applied their "Best Practices" which removed a bunch of insecure ciphers.
After that the AWS ELB and IIS happily communicated.

~~~
Robin_Message
Thanks, nice to know there's not just something wrong with us! We made exactly
the same fix with the same tool funnily enough.

------
vlammerbot
"Cutting to the chase, VBScript permits in-place resizing of arrays through
the command “redim preserve.” This is where the vulnerability is.

redim preserve arrayname( newsizeinelements ) ... For VBScript, exploitation
of this bug could have been avoided by invalidating the common “On Error
Resume Next” VBScript code when the OleAut32 library returns with an error."

Always thought there was something shady about VB and redimming -- and On
Error Resume Next. ;^) But that explains why it's as old as VB itself.

------
danielweber
It's Patch Tuesday. What makes this an "emergency patch"?

~~~
eat
It's really "what should have been an emergency patch", if they're referring
to MS14-066. Article is kind of confusing as to what vuln they're actually
referring to, though.

------
pbhjpbhj
So I should "update" my old laptop to Vista?

------
noinsight
BBC delivers again, this is quality tech journalism unlike the usual stuff
from other outlets (IMO).

------
mkhalil
I wouldn't be surprised if this was a "oh we found a bug, lets leave it"
backdoor.

