Information about HeartBleed and IIS

The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, many customers are wondering whether this affects Microsoft’s offerings, specifically Windows and IIS.  Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.

We also want to assure our customers that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:

•             Windows Server 2003 and 2003R2
•             Windows Server 2008
•             Windows Server 2008R2
•             Windows Server 2012
•             Windows Server 2012R2

Customers running software on Windows that uses OpenSSL instead of SChannel (for example, running the Windows version of Apache), may be vulnerable.  We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider.  For more information and corrective action guidance, please see the information from US Cert here.

Comments (20)

  1. Great and valuable walk-thru. Thanks.

  2. Erez Benari says:

    Answering Kumar’s question: The vulnerability is not in the certificate itself, so copying a certificate from Apache to IIS doesn’t cause it to become vulnerable. However, this is NOT advisable, because HeartBleed may have allowed someone malicious to compromise the Certificate’s private key while it was being used on the Apache server. If so, that key can be used maliciously in several ways, and therefore, the certificate should be revoked and replaced as a precaution (just like your users should change their password on your site, if they had any)

  3. Peter says:

    Good to know – thanks

  4. Bron says:

    Just like any other project, open source software needs attention or problems like this get left in the wild for a very long time.

  5. Ben says:

    Don’t worry, if IIS was open source they’d be grabbing their ankles weekly.

  6. Ivan Lewis says:

    That’s nice??

  7. alex says:

    Thank you for your post.
    It eliminated a lot of our customers’ concerns.

  8. @Ben says:

    What a hater! The only one grabbing their ankles has been OpenSSL users… for 10 years! You think being “open source” someone would have noticed and fixed it sooner.

  9. jim says:

    I am glad I use open source. With proprietary you pay and you never know if there is a vulnerability unless the provider tells which is not guaranteed even if they discover such. With open source everything goes viral immediately. Open source FTW

  10. kumar says:

    Suppose, I exported a ssl server certificate with key, from apache to IIS ,then will my IIS become vulnerable to heartbleed?

  11. kumar says:

    Thanks Ben.But I am not very clear on this issue.Supposing I have a device or Server,which has some openssl modules If this version of openssl is vulnerable,then the PKI environment used when generating CSR would be susceptible to heartbleed attack.Is that right? or I need to correct myself.My initial thought was that any PKI certificate CSR generated using openssl of vulnerable versions are susceptible for heartbleed.

  12. MicroNaram says:

    Check out the section titled “Is it only sites on Apache and nginx that are affected?” in this page: . Even if you have a farm of only IIS servers, if you have a load balancer in front of them, it might be running OpenSSL.

  13. Abhishek Dadarya says:

    I have a windows server 2003 on our intranet network having application software in dotnet version, whether it will be affected by this vulnerability.

  14. Anonymous says:

    After my blog post on the topic , questions continue to flow about the effect it has on Windows, Azure

  15. Anonymous says:

    After my blog post on the topic , questions continue to flow about the effect it has on Windows, Azure

  16. says:

    Ok what a sight what ever.q

  17. Anonymous says:

    OpenSSL Heartbleed Vulnerability not applicable to CIC

  18. Anonymous says:

    Pingback from Heartbleed og de forskjellige operativsystemene | Teknologia

  19. Anonymous says:

    Pingback from Heartbleed og de forskjellige operativsystemene | Teknologia