Microsoft’s Schannel Security Update May Have Problems
Chris Smith / 10 years ago
Software giant Microsoft has issued a warning today based around it’s MS14-066 update which was pushed to consumers late last week. They’ve provided a workaround for those who have already installed the update and are urging all users to avoid or uninstall the update if possible.
This update was designed to fix a critical vulnerability in Schannel, with Microsoft implementing SSL/TLS encryption. This update was previously seen as highly critical by the wider audience with many tech companies and news channels urging users to update immediately. Unfortunately, this update is causing some major issues for some consumers, coming in the form of configurations in which TLS 1.2 is enabled by default and leading negotiations to fail. When the failure occurs, Microsoft and ZDNET has explained:
“TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive.” There may also be an event ID 36887 in the System event log withe description “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.” ZDNET
The MS14-066 update also contained some new features including four ciphers for TLS. The workaround as given by Microsoft is to delete the following ciphers from your system:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
Microsoft has provided a step-by-step process on their official website.
What exactly is happening about this update is somewhat of a grey area, with Microsoft and others reportedly claiming that this update did succeed in protecting the previous mentioned loopholes – but it’s seemingly providing users with more issues than wanted or expected.
Image courtesy of Mashable