A few months ago Heartbleed, apparently named after a James Bond villain, was a security bug that made headlines even in major, non-tech focused publications. This well-known bug was a flaw in the OpenSSL cryptography library, which is a layer of security between your computer and the servers of many major online services. Hackers were able to exploit this flaw and extract sensitive information such as usernames and passwords for websites including Facebook, Gmail, Netflix, and WordPress.
Now another crypto flaw is making headlines. A security bulletin recently released by Microsoft warns service providers and IT administrators of a weakness in the Secure Channel (SChannel) provider that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols to secure web browsing and communication with other servers.
Like Heartbleed, this SChannel bug allows hackers to access to sensitive information. While this flaw does affect every supported version of Windows and Windows Server software, Microsoft reminds users that so far no one has been attacked.
“Server and workstation systems that are running an affected version of SChannel are primarily at risk,” the software juggernaut announced on Tuesday, November 11th. “An attacker could attempt to exploit this vulnerability by sending specially crafted packets to a Windows server. Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers.”
While no attacks have been reported yet, the clock is ticking. Experts estimate it is only a matter of days before someone exploits this vulnerability. “My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released,” wrote Johannes Ullrich, Ph.D. in a November 12th blog post on the Internet Storm Center blog.
Ullrich also advises service providers and IT administrators to take care while patching to protect themselves from future attacks using the SChannel bug. “Patching is only in part about speed,” Ullrich writes. “Don’t let speed get in the way of good operations and procedures. It is at least as important to patch in a controlled, verifiable and reproducible way. Anything else will leave you open to attack due to incomplete patching.”
Only one question remains: what cool name will the media come up with for the SChannel bug to meet the bar that Heartbleed set? Skulldrop? Cliffjump? Devilfinger? Only time will tell.