In the November 2014 security bulletin there were 14 updates released. The updates resolved security issues in IE, OLE and Schannel. It is the latter that is worth calling out for attention since this is the basis of the Microsoft implementation of SSL. Exchange makes heavy use of SSL, and is typically connected to the Internet.
MS14-066 / MS014-066 is pernicious for several reasons:
It applies to all supported versions of Windows from Vista to 2012 R2
Server core is affected (though Exchange is not supported on server core)
There are no Microsoft workarounds
There are no Microsoft mitigating factors
To mitigate the risk you must patch
The vulnerability allows remote code execution.
Update 16-11-2014: KB 2992611 has information on known issues.
Update 18-11-2014: V2 of the bulletin was released. Details from the update:
Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611
update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information
As of writing, the MSRC and other security assets do not report that there attacks in the wild since the issue was responsibly disclosed to Microsoft. However it is only a matter of time….
Call To Action
Test, Validate And Install this update ASAP
There are other security issues also resolved by this month’s security releases. For example in TCP/IP which is MS14-070 / MS014-070. The TCP/IP vulnerability is an elevation of privilege, whereas the Schannel vulnerability allows remote code execution.
Both are not good, so please let’s get our servers patched and protected!