Potentially catastrophic bug bites all versions of Windows. Patch now by Dan Goodin.
From the post:
Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.
The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.
While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.
…
This sort of security announcement makes you nostalgic for the Black Screen and Blue Screen of Death doesn’t it? While looking up the reference on the Blue Screen of Death, I discovered that Windows still has that feature. I was thinking about the Blue Screen of Death from Windows NT days. I haven’t seen a blue screen on Windows XP so assumed they had fixed those issues. My bad.
Danger, Danger!
This security update is rated Critical for all supported releases of Microsoft Windows. (emphasis added)
The earliest versions of Windows listed are Vista and Windows Server 2003.
Which excludes Windows XP, whose security support ended on April 8, 2014.
I mention that because 95% of bank ATMs face end of security support by Jose Pagliery.
Yes, 95% of bank ATMs were running Windows XP (est.). Some banks were reported to have made arrangements with MS for continued support but who and for how long isn’t known.
The support bulletin doesn’t say if the vulnerability exists in Windows XP but you could start looking with: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840) Published: June 12, 2007. A different security issue with Schannel.
If you confirm issue in MS14-066 with Windows XP, please post a comment. Thanks!
PS: Better organization of the Windows documentation would help security researchers. Being able to navigate from releases to specific files for a particular problem and thence backward to other versions and their files and thence to the files, would be quite helpful. Even if packages are needed for updates due to dependencies between files.
Update: November 16, 2014.
On November 14, 2014, Sara Peters posted: Microsoft Fixes Critical SChannel & OLE Bugs, But No Patches For XP and writes in part:
Joe Barrett, senior security consultant of Foreground Security says that Winshock “will most likely be the first true ‘forever-day’ vulnerability for Windows NT, Windows 2000, and Windows XP. As Microsoft has ceased all support and publicly stated they will no longer release security patches, enterprises who still have Windows 2000 and Windows XP machines will find themselves in the uncomfortable situation of having an exploitable-but-unpatchable system on their network,” he says.
“Security researchers and blackhats alike are most likely racing to get the first workable exploit against this vulnerability, and the bad guys will begin immediately using it to compromise as much as they can,” he says. “As a result, enterprises need to immediately deploy the patch to every system they can and also begin isolating and removing the unpatchable systems to prevent serious compromise of their networks.”
I guess that removes all doubt about XP based ATMs being vulnerable.