On this past Tuesday round of patches, Microsoft released 14 patches to Windows. This was done quietly and without fanfare, but the next day, Microsoft was sending out critical vulnerability warnings to companies — particularly infrastructure and hosting providers.
Within these patches is a vulnerability that cannot be overstated in its potential abuse. Microsoft’s own Security Bulletin MS14-066
classifies this vulnerability as “Critical.”
In short, every version of Windows on a modern machine is affected and needs to be updated immediately.
There is no impact to customers on our Linux platforms. This is a Microsoft Windows issue only.
According to Microsoft, this vulnerability in the Secure Channel (Schannel) security package in windows “could allow remote code execution if an attacker sends specially crafted packets to a Windows server.”
Microsoft has published a full list of Affected Software
, but you can save yourself some time and just presume you are on it. The complete list begins with Windows Server 2003 and runs through every iteration of Windows on up to the present day. This exploit affects both the version of Windows you have on your home or office desktop, as well as versions of Windows Server that your infrastructure is likely housed on.
This vulnerability is in no way related to POODLE, SSLv3, SVA1/SVA2, or other security issues that have been in the news recently. This is a separate and distinct issue.
What our team is doing for you
Normally Managed.com installs Windows updates on a scheduled basis the week following Patch Tuesday. This gives our engineering team time to properly vet and test the patches before installing them across the thousands of servers we support within our infrastructure.
Industry professionals are accustomed to Microsoft releasing patches the second Tuesday of the month, which is known as “Patch Tuesday.” Generally speaking, these patches are rather routine. This time, however, Microsoft quietly notified IT professionals about the severity of the patches after they were released.
Immediately after the Microsoft announcement, the Managed.com Security Team conducted a thorough threat assessment and determined that this issue is critical and in need of being immediately addressed with special attention. While our Windows updates are normally scheduled for next week, we are going to start them immediately and verify each server has received the required security update.
Our customers enjoy knowing our team routinely patches our infrastructure on a set schedule and that we work hard to install patches during non-peak business hours for our customers. However, due to the severity of this critical vulnerability, individual maintenance windows will not be available.
We will be updating every single server within our infrastructure in order to protect you, your website, your server, your data, your customers and your business. We realize that this may be inconvenient to people; and we want to emphasize that this is not a decision we have made lightly.
Typically, it takes about 30 minutes to install these security patches, however in some rare cases it may take longer.
The entire world of hosting and Microsoft is responding to this threat in a quick and timely manner. While it may be convenient to point fingers at Microsoft for not notifying people before the patches went out, it is unfeasible to send a message to everyone using every installation of your product for the last decade — especially when that product is as ubiquitous as Windows. The relatively short notice also provides a relatively small window for malicious attackers to exploit the vulnerability. In short, we believe that Microsoft is doing the best that they can under the circumstances.
What can you do?
Know that this is an all-hands-on-deck matter to professionals within the hosting and Microsoft spheres of industry. Our team will be working around-the-clock to update infrastructure to ensure that our customers are protected from this threat.
Unfortunately, we are unable to give you a specific time as to when your server will be patched for this important security maintenance. The Managed.com Security Team will be performing updates across our infrastructure in all of our global datacenters.
If you are on a dedicated server within our platform — development platform-level server and above — you can apply these updates yourself. If you are comfortable doing so, we recommend that you do so immediately. Our Security Team will then go over your server once we get to it on our list to verify the patch update has been applied, as well.
For complete information on how to apply the Schannel Security Patch, refer to our KB: “How to Install Windows Updates
.” Microsoft has already created the patch to fix this critical vulnerability. There is no coding or complicated fixes you have to walk through, simply update your Windows Server and apply the patches released by Microsoft this Tuesday.
Note that these security patches exists at both the server and the regular level of Windows. If you have home PCs, or your company has Windows desktops or laptops, you should also run Windows Update on them immediately.
We will take care of your server, but we also highly recommend you apply these updates across your home and office networks. Simply click on your Windows desktop and run “Windows Update.” Apply all of the updates Microsoft has selected as “Important Updates” by default.
What happens next?
Our team will continue to install these important security patches across our infrastructure. While our customers are already accustomed to our support team being available 24/7/365, you can rest assured knowing that our Infrastructure and Security Teams will be working around-the-clock to apply these critical updates.
We understand a sudden update of your server is inconvenient, but this is what you pay us for. The team of Managed.com engineers have analyzed this threat, and made the difficult decision to update our infrastructure immediately. We are doing this to protect your business and your investment.
We apologize for any inconvenience this may have upon your business, but know that this is the best — and only — solution to protect your infrastructure from the potential fallout of this vulnerability.
As always, our team will continue to monitor this important issue and keep you informed.
Works Cited / For Further Reading:
How to Install Windows Updates on Your Server. (Managed.com
Microsoft Security Bulletin MS14-066. (Microsoft
List of Affected Software in Schannel vulnerability. (Microsoft
Vulnerability in SChannel could allow remote code execution. (Microsoft
Microsoft posts critical patch for huge Windows vulnerability. (TheNextWeb
Potentially catastrophic bug bites all versions of Windows. (Ars Technica
Drop what you’re doing and patch the Windows Schannel bugs. (ZDNet