[WinPartners] Windows TLS (“WinShock”) security issue

[Mark Silis]

Good afternoon,

On Tuesday, November 11, Microsoft announced a significant security vulnerability in the Microsoft Secure Channel (SChannel) software package for the Windows operating system.  This vulnerability allows for remote code execution if an attacker sends specially crafted network traffic to a Windows server running SSL / TLS-based services; a Windows web server providing content via the HTTPS protocol is the most common attack vector for this vulnerability.  Please see:

https://technet.microsoft.com/library/security/MS14-066 <https://technet.microsoft.com/library/security/MS14-066>

for the full text of Microsoft’s announcement.  All Windows versions from Windows 95 onward are affected by this issue.

IS&T recommends that all operators of Windows-based servers apply these patches immediately.  These patches are available from MIT WAUS (Windows Automatic Update Service).

All IS&T-managed Windows servers will have these patches applied over the course of the next 48 hours, and will be contacting Managed Server Hosting customers to schedule the necessary maintenance windows.

If you have any questions or concerns about this vulnerability, please contact the IS&T Security Operations team via security at mit.edu <mailto:security at mit.edu> for assistance.

Best,
Mark

Mark Silis
Director, Operations & Infrastructure
MIT Information Systems & Technology
mark at mit.edu <mailto:mark at mit.edu> 617.324.9000