It’s peanut butter patching time. And it’s urgent: MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611).
This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.
This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
The update is shipped via regular Windows/Microsoft updates.
For anyone still on Windows XP, questioning if they should upgrade … guess what, the fix isn’t released for Windows XP machines. Here’s your incentive!
How does the exploit work?
A very detailed posted emerged where they trigger the MS14-066 vulnerability. It goes into a lot of details on how they found the actual bug by looking at the updated DLL files and how the SSL/TLS stack can be exploited.