Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Updates MS14-066 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Updates MS14-066

Microsoft updated MS14-066 to warn users about some problems caused by the additional ciphers added with the update [1]. It appears that clients who may not support these ciphers may fail to connect at all. The "quick fix" is to remove the ciphers by editing the respective registry entry (see the KB article link below for more details).

One user reported to us performance issues when connecting from MSFT Access to SQL Server, which are related to these ciphers.

Sadly, MS14-066 hasn't been Microsoft's best vulnerability announcement. The initial bulletin omitted important details (like the impact of the certificate bypass vulnerability). So far, a total of 3 vulnerabilities are being discussed in conjunction with MS14-066, while the bulletin only lists one CVE number. How the bug was disclosed has also caused confusion, with some Microsoft publications listing external discovery (but private disclosure) and others indicating internal disclosure. 

[1] https://support.microsoft.com/kb/2992611 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Jose 2019

Johannes

3579 Posts
ISC Handler
As many of us can attest, I've been very leery of MS patches' quality for the past few months. The mass layoffs seem to correspond to a serious deterioration in overall patch quality. However, MS14-066 has this right brain dominant analytical type very concerned due to the many avenues of ingress and potential modes of various attacks. The fact that Microsoft is being very mum on details has me even more concerned. Personally, I think this is worse than any of the historical RPC RCE vulnerabilities especially if the OWA speculation proves true. Try blocking OWA access at your firewall and see what happens. Anyone advocating uninstalling this one is asking for trouble.

Damn the torpedoes, full speed ahead! I cannot wait to see what tomorrow brings on this front as I have a funeral to attend at noon. I've made significant progress in patching though I've still two more non-internet exposed servers to go.

Overall, I've had good luck in my test environment and client's production environments so far.
pdawg

7 Posts
Seems they updated the underlying KB article
https://support.microsoft.com/kb/2992611
without actually updating the MS14-066 bulletin
https://technet.microsoft.com/library/security/ms14-066
(that still does not mention "known issues").
Paul Szabo

13 Posts
Paul Szabo - I was about to post this myself. The KB and bulletins are usually mostly redundant and it's not clear why they have both. I guess they have to have a KB article on everything.
Larry Seltzer

25 Posts
@ et all for posters of this thread, this is the reason I typically wait at least a week and watch here and other sites to see any conflicts. I also agree that MS and you may or may not read my past rants has one a bent compass, but $$$$$$$$$$$$$ always wins. Look at the other target issues and who runs them and their $$$$$$$$$$$ worth.

Reading many articles I see not only issues with MS updates but also Flash, Oct. 31 their version crunched my machine and oddly enough couple of weeks later out came a new shiny version.

I wish I could say, going to get better but it is not. We were fed the rouse update XP to VIsta, then 7, then 8 blah, blah that it will be much better. Well, seems the old age issue, put out crap code and react to it. Combine this with companies that are >90% clueless about security and we will continue to have "cracked links" in the chain and be REactive.

Fortunately, we have places like this to be PROactive,

Best to all...

ICI2I
ICI2Eye

52 Posts
FYI: Other issues noted at patchmanagement.org:

MS14-066 Advisory
- https://aws.amazon.com/security/security-bulletins/ms14-066-advisory/
2014/11/14 5:30PM PST - "We are continuing to investigate the reported issues with the patch that was supplied for MS14-066. This updated status is being provided for the service below. We will continue to update this Security Bulletin for the other services previously identified as more information becomes available.
Amazon Relational Database Service (RDS):
Amazon RDS will build and deploy any required updates to affected RDS SQL Server instances. Any needed updates will require a restart of the RDS database instance. Communication of the specific timing of the update for each instance will be communicated via email or AWS Support directly to customers prior to any instance restart...

We will continue provide updates to this security bulletin.
___

WinShock (KB2992611) Patch breaks IIS
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/218cf562-3dab-4d09-adcc-74f65d0f29f1/winshock-kb2992611-patch-breaks-iis?forum=winserversecurity
Last entry (as of date/time of this post): Nov 16, 2014 12:01 AM

.
PC.Tech

34 Posts
I went site visiting today looking for issues this morning and got into the "Why are we paying you for your time for something that does not exist yet?" discussion with one of my clients.

I told them that not only was I protecting them against something that most likely will happen with little or no warning. I also told them that I went ahead and installed all of the prerequisites needed for an accounting system upgrade we'll be doing in a few months while I was in there protecting them from MS14-066 which made them happy to hear that. Is that not what maintenance windows are for?

Of course, I also mentioned how a friend of mine and his IT department spent a whole lot of time flushing Conflicker out of their network months after MS released the patch while the whole business reverted back to pen and paper to function. Of course, I had my network patched and ready for it and was resting on my laurels. I really hate deploying patches so quickly, but sometimes the potential risk warrants doing it.

I just live with it when a patch takes out something. I will say iOS 8.x has not been kind to me, but each new release gets my iPad working better.
pdawg

7 Posts
not sure if anyone noticed this article about cracking the patch to exploit this vulnerability -

http://blog.beyondtrust.com/triggering-ms14-066
Mike

2 Posts
We have some Win Srv 2012 systems that seem to be running OK after installing MS14-066 last Wed, 11/12. That may be because we have a locally-specified Administrative Templates / Network / SSL Configuration Settings / SSL Cipher Suite Order and I managed to restrain myself from adding the new ones, or it could be because SSL is lightly-used and we've not been bit by a problematic counterparty config yet.
VT Greybeard

2 Posts

Sign Up for Free or Log In to start participating in the conversation!