General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsPotentially catastrophic bug bites all versions of Windows. Patch now
http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.
The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.
While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.
"If they install software that listens on port, then that machine would be vulnerable," he said. An example would be "if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client."
Snip
Do WINDOWS update
shenmue
(38,506 posts)LiberalArkie
(15,719 posts)Tuesday's disclosure means that every major TLS stackincluding Apple SecureTransport, GNUTLS, OpenSSL, NSS, and now Microsoft SChannelhas had a severe vulnerability this year.
Children can we say that the NSA, FBI and CIA are now going to be really pissed off.
I think every company and open source org has had a plant in them for quite a while.
And as a side note: it is going to also piss off a lot of hackers who will not have their entry points any more.
dixiegrrrrl
(60,010 posts)for us non-geeks......explanation pls? ...
LiberalArkie
(15,719 posts)software engineers who were really working for the NSA/CIA/DIS etc. The "bugs" that were found were the type that were not usually accidentally made.
Because of the doors that NSA etc put into Apple, Microsoft, Linux (via open source) software, hackers and others were able to find them and use them to their benefit.
1StrongBlackMan
(31,849 posts)working so hard to exploit vulnerabilities used their genius to create something/anything positive ...
enlightenment
(8,830 posts)I read yet another one of these things.
It's ineffably sad.
1StrongBlackMan
(31,849 posts)destroy rather than build ... steal rather than earn ...
CountAllVotes
(20,875 posts)I guess Microsoft is still supporting XP Pro whether they care to admit it or not.
Paper Roses
(7,473 posts)is a wait and see what others are saying?
This old timer needs advice. Thanks
LiberalArkie
(15,719 posts)to go ahead and get and install the patches.
What the bug does is make secure sessions insecure, but only on those coming in to your computer. Say you had a personal web server or something for home automation that allowed access from the outside. You would have a problem with the security.
But apply the update anyway.
Spazito
(50,365 posts)I have my updates on automatic but am downloading them now instead thanks to your OP.
Baitball Blogger
(46,735 posts)I think someone did manage to get in through a port a year ago.
napkinz
(17,199 posts)to "immediately install a patch Microsoft released Tuesday morning" or as another member wrote, download the update?
What are the steps?
thanks