> Specifically, it related to Microsoft Secure Channel, known as Schannel, Microsoft's software for implementing secure transfer of data.
I'm confused... The article says this research relates to the SChannel vulnerability being patched this month and cites IBM Researchers[1] finding it, but the link to the blog post showing the work is towards OLE and not SChannel. Also, Microsoft has mentioned that they found[2] the SChannel vulnerability through an internal audit. To me, it seems the research is talking about CVE-2014-6332[3], which shows the patch as MS14-064. MS14-066 is the patch for the SChannel vulnerability.
Either BBC is confused on which patch they're trying to report on, or I am.
I think the BBC reporter likely got confused. However it seems http://securityintelligence.com/ibm-x-force-researcher-finds...is a blog post about a 19 year old remotely exploitable bug being fixed recently, so it seems like if anything the link should go there.
Depends on the IE Zone settings. I believe that if you set the a zone to 'Low', a web page can execute a VBSCript code, with or without ActiveX being enabled.
While its good to point out errors in the article, It'd be helpful to include the correction as well.
A 'drive-by-download' attack is a malware delivery technique that is triggered simply because the user visited a website. Traditionally, malware was only 'activated' as a result of the user proactively opening an infected file (for example, opening an email attachment or double clicking on an executable that had been downloaded from the Internet).
When the Blaster worm hit in 2003, the Unix people laughed, because they were immune. The Morris worm was ancient history, because it had been 15 years since that hit.
XP is almost ancient history. You shouldn't be running it, any more than you should've been running something vulnerable to the Morris worm in 2003.
Windows XP is old, but to call it 13 years old is somewhat misleading.
XP was the newest possible version of Windows as recently as 2007, and since most people ignored Vista it was the default install for many (most?) people up until Windows 7, which was only 5 years ago.
SP3 came out in 2008 and significantly improved the features and security.
Combined with some odd licenses and old PC stock in stores there were plenty of people buying new laptops in 2010 with XP installed.
You shouldn't be running it but a hell of a lot of people and businesses still are. And MS is to blame IMO. The continued extending support, they screwed up with Vista and after making things right with Windows 7 screwed up again (although no where nearly as badly as with Vista) with Windows 8.
I also know of people running XP because it's incredibly stable now and they don't see anything in newer versions of Windows they really want or need.
The pace of change in big orgs mean it takes 2-3 years to implement a change like xp->win 7. When you have 100k employees and regulatory hell and have outsourced every last bit of everything you are pretty fucked.
If you think that's bad, try the NHS in the UK. Its the largest organisation in the world with 1.4M employees (!). They've been rolling windows 7 out for 4 years. It'll be obsolete when they've finished.
Maybe they should standardise on a particular UI for specific applications - maybe with desktop icons in specific locations for launching those apps. Then they remove the OS from user view entirely - any OS or version of an OS that will present the particular applications with the required views would then be appropriate.
That way when determining if they can upgrade to Windows 10 they just need to ask "will our current apps run, with largely coterminous views and function? Can the OS login direct to our launch icon layout?".
Most users use applications rather than OS, especially in a work setting I'd warrant.
I work for a big corporation which has not fully made the windows xp to windows 7 transition. We have an extended XP support contract with MS which to my understanding includes bugfixes for this kind of major problem.
> I also know of people running XP because it's incredibly stable now and they don't see anything in newer versions of Windows they really want or need.
They don't need security updates? Aren't they connected to the internet?
I've made that point to this person many times but they're pretty specific about the sites they browse to and regularly run anti-virus scans. Not ideal but they seem fine with it and their system runs pretty nice.
I hope they're compensating you some way or other. One of the last things I did at my previous job involved spelunking around some awful ancient VBScript code, boy am I glad I left that place.
XP came out before Debian 3.0. At that point, Google hardly existed, iTunes hadn't been released, and the Nokia 3310 was less than a year old - http://en.wikipedia.org/wiki/Nokia_3310
Anyone who is still running Windows XP has this coming.
On the other hand, you could buy a brand new PC with XP on it 2 years ago. PC which could be still working perfectly fine for its intended purpose - so many people don't understand why would they want to spend money on something that works without any problems.
I'm using XP but also a filtering/reencrypting proxy, so all secure connections are going through OpenSSL's client code. Ironically, I just updated OpenSSL 2 days ago and patched the proxy to add SNI...
As far as I know they haven't explicitly said they won't. The "affected systems" lists on the recent advisories currently only go back as far as 2003/Vista, but IE6 is listed in some of them so if they are going that far back with IE (6 dropped out of extended support at the same time as XPsp3) there is a chance there is a patch coming for XP too.
Of course they are under no obligation to.
And some might argue that giving people updates so they can continue to use IE6 is as bad as giving an alcoholic a double G&T to help keep withdrawal symptoms at bay...
We upgraded to this, only to find it activates some new encryption modes (4 new GCM suites) that don't seem to function properly for us. Anyone else seen that issue?
(Technical details: If the client offer one of the suites, the server is accepting it in the ServerHello, but then RSTing the connection after the client sends their encrypted handshake, and the event log says "none of the cipher suites supported by the client application are supported by the server". Browser and curl don't use that suite, but Amazon ELB does.)
Yes, all of our AWS EC2 Windows instances sitting behind an ELB with the latest AWS Security Protocols will not communicate with the ELB after this update.
I was able to fix this by reconfiguring the available cipher suites within IIS. Downloaded the IIS Crypto tool https://www.nartac.com/Products/IISCrypto/Default.aspx and applied their "Best Practices" which removed a bunch of insecure ciphers. After that the AWS ELB and IIS happily communicated.
"Cutting to the chase, VBScript permits in-place resizing of arrays through the command “redim preserve.” This is where the vulnerability is.
redim preserve arrayname( newsizeinelements )
...
For VBScript, exploitation of this bug could have been avoided by invalidating the common “On Error Resume Next” VBScript code when the OleAut32 library returns with an error."
Always thought there was something shady about VB and redimming -- and On Error Resume Next. ;^) But that explains why it's as old as VB itself.
It's really "what should have been an emergency patch", if they're referring to MS14-066. Article is kind of confusing as to what vuln they're actually referring to, though.
I'm confused... The article says this research relates to the SChannel vulnerability being patched this month and cites IBM Researchers[1] finding it, but the link to the blog post showing the work is towards OLE and not SChannel. Also, Microsoft has mentioned that they found[2] the SChannel vulnerability through an internal audit. To me, it seems the research is talking about CVE-2014-6332[3], which shows the patch as MS14-064. MS14-066 is the patch for the SChannel vulnerability.
Either BBC is confused on which patch they're trying to report on, or I am.
Anyone similarly confused as I am?
[1] http://securityintelligence.com/ibm-x-force-researcher-finds...
[2] http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-...
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-633...