General Discussion

LiberalArkie

(15,719 posts) Wed Nov 12, 2014, 12:15 PM Nov 2014

Potentially catastrophic bug bites all versions of Windows. Patch now

http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

"If they install software that listens on port, then that machine would be vulnerable," he said. An example would be "if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client."

Snip

Do WINDOWS update

14 replies

= new reply since forum marked as read

Highlight:

Potentially catastrophic bug bites all versions of Windows. Patch now (Original Post) LiberalArkie Nov 2014 OP

Thanks shenmue Nov 2014 #1

This means that every secure stack has had an error LiberalArkie Nov 2014 #2

" the NSA, FBI and CIA are now going to be really pissed off. " dixiegrrrrl Nov 2014 #6

It was thought that unknown to Apple and others that they had hired LiberalArkie Nov 2014 #10

Just imagine if all those ... 1StrongBlackMan Nov 2014 #3

That's what I say every time enlightenment Nov 2014 #7

But I guess this is what society is devolving to ... 1StrongBlackMan Nov 2014 #8

Said "patch" is downloading on XP Pro CountAllVotes Nov 2014 #4

Is this one of the 'do it now' things or Paper Roses Nov 2014 #5

You probably have n problem have the bug, but it will not hurt anything LiberalArkie Nov 2014 #11

Thanks for the heads-up... Spazito Nov 2014 #9

That may have been around for at least a year. Baitball Blogger Nov 2014 #12

for those of us who are basically computer illiterate, could someone explain HOW napkinz Nov 2014 #13

Even Windows 98 for the iPhone 6? Ampersand Unicode Nov 2014 #14

shenmue

(38,506 posts)

1. Thanks

Reply to LiberalArkie (Original post)

Wed Nov 12, 2014, 12:16 PM

Nov 2014

LiberalArkie

(15,719 posts)

2. This means that every secure stack has had an error

Reply to LiberalArkie (Original post)

Wed Nov 12, 2014, 12:21 PM

Nov 2014

Tuesday's disclosure means that every major TLS stack—including Apple SecureTransport, GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year.

Children can we say that the NSA, FBI and CIA are now going to be really pissed off.

I think every company and open source org has had a plant in them for quite a while.

And as a side note: it is going to also piss off a lot of hackers who will not have their entry points any more.

dixiegrrrrl

(60,010 posts)

6. " the NSA, FBI and CIA are now going to be really pissed off. "

Reply to LiberalArkie (Reply #2)

Wed Nov 12, 2014, 12:27 PM

Nov 2014

for us non-geeks......explanation pls? ...

LiberalArkie

(15,719 posts)

10. It was thought that unknown to Apple and others that they had hired

Reply to dixiegrrrrl (Reply #6)

Wed Nov 12, 2014, 12:39 PM

Nov 2014

software engineers who were really working for the NSA/CIA/DIS etc. The "bugs" that were found were the type that were not usually accidentally made.

Because of the doors that NSA etc put into Apple, Microsoft, Linux (via open source) software, hackers and others were able to find them and use them to their benefit.

1StrongBlackMan

(31,849 posts)

3. Just imagine if all those ...

Reply to LiberalArkie (Original post)

Wed Nov 12, 2014, 12:24 PM

Nov 2014

working so hard to exploit vulnerabilities used their genius to create something/anything positive ...

enlightenment

(8,830 posts)

7. That's what I say every time

Reply to 1StrongBlackMan (Reply #3)

Wed Nov 12, 2014, 12:34 PM

Nov 2014

I read yet another one of these things.

It's ineffably sad.

1StrongBlackMan

(31,849 posts)

8. But I guess this is what society is devolving to ...

Reply to enlightenment (Reply #7)

Wed Nov 12, 2014, 12:36 PM

Nov 2014

destroy rather than build ... steal rather than earn ...

CountAllVotes

(20,875 posts)

4. Said "patch" is downloading on XP Pro

Reply to LiberalArkie (Original post)

Wed Nov 12, 2014, 12:24 PM

Nov 2014

I guess Microsoft is still supporting XP Pro whether they care to admit it or not.

Paper Roses

(7,473 posts)

5. Is this one of the 'do it now' things or

Reply to LiberalArkie (Original post)

Wed Nov 12, 2014, 12:26 PM

Nov 2014

is a wait and see what others are saying?

This old timer needs advice. Thanks

LiberalArkie

(15,719 posts)

11. You probably have n problem have the bug, but it will not hurt anything

Reply to Paper Roses (Reply #5)

Wed Nov 12, 2014, 12:43 PM

Nov 2014

to go ahead and get and install the patches.

What the bug does is make secure sessions insecure, but only on those coming in to your computer. Say you had a personal web server or something for home automation that allowed access from the outside. You would have a problem with the security.

But apply the update anyway.