One week after the botched SChannel patch was issued, Microsoft still hasn't fixed it or pulled it. As of early Tuesday morning, MS14-066/KB 2992611 is still being stuffed down the Automatic Update chute, despite the extensive warnings online about TLS 1.2 breakdowns, SQL Server turning into molasses, IIS problems with Chrome, various internal errors (including 1250 and 1051), blocked ODBC access in SQL Server, and XML breakdowns.
This isn't merely anecdotal evidence from individually stung admins or sky-is-falling pablum from the press. It's an entire collection of real, bona fide problems that accompany many installations of KB 2992611.
On Nov. 12, Amazon issued an advisory about the botched Microsoft patch:
We have received reports that the patch that Microsoft supplied for MS14-066 has been causing issues, specifically that TLS 1.2 sessions are disconnecting during key exchange.
While we investigate this issue with the patch provided, we suggest that our customers review their security groups and ensure that external access to Windows instances have been appropriately restricted to the extent possible.
Now IBM has chimed in with its own advisory:
After applying the OS patch, B2B Integrator and FileGateway are unable to start up with the following error:
The driver could not establish a secure connection to SQL Server by using Secure Sockets
Layer (SSL) encryption. Error: "SQL Server returned an incomplete response. The connection has been closed.".
[2014-04-22 06:21:32.25] ERRORDTL com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server returned an incomplete response. The connection has been closed.".
IBM further advises, as of early Tuesday morning, "There is currently no workaround for this issue with the OS patch."
Even BlackBerry, for heaven's sake, has officially diagnosed a conflict between KB 2992611 and its Print to Go product.
The media hype around the patch is shocking. At least, it would've been shocking a few years ago. With a fancy new name -- WinShock -- the press is comparing this SChannel security hole to the Heartbleed OpenSSL vulnerability, the Bash/Shellshock Linux hole, the PowerPoint problem called Sandworm, and your Aunt Mabel's debilitating attack of psoriasis.
And if I see another "news" report that says WinShock is a 19-year-old security hole, I'm gonna scream. The SChannel fix, MS14-066/KB 2992611/WinShock is CVE-2014-6321. That 19-year-old security hole in OLEAuto is CVE-2014-6332, and it was patched by MS14-064/KB 3011443.
Microsoft hasn't helped in any of this. Although the 'Softies updated the KB 2992611 article to talk about a workaround for one of the side effects of installing the patch, there's been essentially no other communication about it. SANS Internet Storm Center honcho Dr. Johannes Ullrich gives Microsoft the benefit of the doubt:
Sadly, MS14-066 hasn't been Microsoft's best vulnerability announcement. The initial bulletin omitted important details (like the impact of the certificate bypass vulnerability). So far, a total of 3 vulnerabilities are being discussed in conjunction with MS14-066, while the bulletin only lists one CVE number. How the bug was disclosed has also caused confusion, with some Microsoft publications listing external discovery (but private disclosure) and others indicating internal disclosure.
More critical commenters aren't as kind. Microsoft's flip-flop on the source of the bug has led to all sorts of speculation. Was it found in-house? If not, who found it? What, exactly, does the patch fix? Last week, Metasploit honcho HD Moore tweeted:
The MS14-066 patch was minimal on 2003 SP2, but fixes a lot of undocumented bugs on Vista+ (LSASRV, LSM). Add SMB to the list of vectors
The fact is, we know very little about KB 2992611 and, as Toby Meyer explains on his blog, that isn't good for anybody:
[Microsoft mentions] the addition of four new cipher suites but there is one other change that may impact you that is not mentioned. I've found that this patch also re-orders the cipher suites. Historically Microsoft has notified customers when re-ordering cipher suites; see KB2919355 for example. This is important to understand for two reasons, one theoretical and one practical.
Theoretical is that changing cipher suites impacts your security posture, and one should always know these things going into a patch. Fortunately most of the re-order does seem in line with a tighter security policy.
Practical is that this can break connectivity with some applications. Specifically, one of my peers found that Java 6 based applications attempting purposely or otherwise to use the ECDH key agreement protocol will fail to connect.
On Nov. 14, ethical hacking site Immunity published a Canvas module that supposedly contains exploit code for the SChannel vulnerability. I haven't seen anything similar for Metasploit. I see no reports of an exploit in the wild, so assume that the Canvas approach is ... challenging.
Where does that leave us? With one stinking mass of nothing. Aside from a four-registry-key workaround for TLS crashes, Microsoft has given users no details, no guidance -- and the patch is still rolling down the Automatic Update chute.
If Amazon, IBM, and BlackBerry can offer straight talk, why not Microsoft?