MS10-049: Vulnerabilities in SChannel could allow remote code execution

Microsoft has released security bulletin MS10-049. To view the complete security bulletin, visit one of the following Microsoft websites:

• Home users:
  http://www.microsoft.com/security/updates/bulletins/201008.aspx

  (http://www.microsoft.com/security/updates/bulletins/201008.aspx)
  Skip the details: Download the updates for your home computer or laptop from the Microsoft Update website now:
  http://update.microsoft.com/microsoftupdate/

  (http://update.microsoft.com/microsoftupdate/)
• IT professionals:
  http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx

  (http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx)

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Description of this security update

Modes

This security update complies with the following standard:
To provide backward compatibility, this security update works in the following modes.

Compatible mode
• If this security update is applied to the server, and the server is in compatible mode, the server allows all clients to set up and renegotiate Transport Layer Security (TLS) sessions. This occurs whether the clients are updated or are not updated by using this security update.
• Similarly, if this security update is applied to the client, and the client is in compatible mode, the client can set up and renegotiate TLS sessions with all the servers for which this security update is applied or is not applied.

Strict mode
• If this security update is applied to the server, and the server is in strict mode, the server allows only those clients to which this security update is applied to set up and renegotiate TLS sessions. The server does not allow the clients to which this security update is not applied to set up the TLS session. In this case, the server terminates such requests from the clients.
• Similarly, if this security update is applied to the client, and the client is in strict mode, the client can set up and renegotiate TLS sessions with all the servers for which this security update is applied. The clients cannot set up TLS sessions at all with servers for which this security update is not applied. The client cannot move ahead with a TLS negotiation attempt with such servers.

By default, this security update enables the TLS or Secure Sockets Layer (SSL) client or server to stay in compatible mode. An administrator can use the AllowInsecureRenegoClients and the AllowInsecureRenegoServers entry DWORD values in the following registry path to enable strict mode on the client or on the server:
The following table shows how these DWORD values can be used:

Selecting the Signaling mechanism for Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP only

The Request for Comments (RFC) 5746 recommends sending the Transport Layer Security (TLS) Renegotiation Indication Extension in the TLS "ClientHello" message. However, in certain cases, sending the TLS extension in the TLS Client ClientHello message can cause a failure on certain kinds of servers that cannot parse the TLS extensions correctly. This type of interoperability failure had not been encountered in Microsoft operating systems earlier than to Windows Vista. This is because the ClientHello message previously did not contain any extensions when using these earlier operating systems. To avoid this problem, an administrator can use the UseScsvForTls DWORD registry entry with a nonzero value. (This can be any value other than zero.) This registry entry will cause the client to a send fixed byte pattern (00 FF) in the list of cipher-suite values instead of the TLS Renegotiation extension in the TLS ClientHello message to signal the server. The fixed byte pattern (00 FF) is known as a Signaling Cipher Suite Value (SCSV).

To configure the UseScsvForTls registry entry, add a DWORD to the following subkey in the registry on the TLS client computer:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

The  following table explains the behavior for the DWORD settings:

Additional information about this security update

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows XP and Windows Server 2003 file information

• The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.
• GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.
• In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For all supported x86-based versions of Windows XP

For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

For all supported x86-based versions of Windows Server 2003

For all supported IA-64-based versions of Windows Server 2003

Windows Vista and Windows Server 2008 file information

• The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
  Collapse this tableExpand this table

  Version	Product	Milestone	Service branch
  6.0.6000.16xxx	Windows Vista	RTM	GDR
  6.0.6000.20xxx	Windows Vista	RTM	LDR
  6.0.6001.18xxx	Windows Vista SP1 and Windows Server 2008 SP1	SP1	GDR
  6.0.6001.22xxx	Windows Vista SP1 and Windows Server 2008 SP1	SP1	LDR
  6.0.6002.18xxx	Windows Vista SP2 and Windows Server 2008 SP2	SP2	GDR
  6.0.6002.22xxx	Windows Vista SP2 and Windows Server 2008 SP2	SP2	LDR

• Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. xxxxxx version number.
• GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Vista and of Windows Server 2008

For all supported x64-based versions of Windows Vista and of Windows Server 2008

For all supported IA-64-based versions of Windows Server 2008

Additional file information for Windows Vista and Windows Server 2008

Additional files for all supported x86-based versions of Windows Vista and of Windows Server 2008

Additional files for all supported x64-based versions of Windows Vista and of Windows Server 2008

Additional files for all supported IA-64-based versions of Windows Server 2008

Windows 7 and Windows Server 2008 R2 file information

• The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
  
  Collapse this tableExpand this table

  Version	Product	Milestone	Service branch
  6.1.7600.16xxx	Windows 7 and Windows Server 2008 R2	RTM	GDR
  6.1.7600.20xxx	Windows 7 and Windows Server 2008 R2	RTM	LDR

• GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows 7

For all supported x64-based versions of Windows 7 and of Windows Server 2008 R2

For all supported IA-64-based versions of Windows Server 2008 R2

Additional file information for Windows 7 and of Windows Server 2008 R2

Additional files for all supported x86-based versions of Windows 7

Additional files for all supported x64-based versions of Windows 7 and of Windows Server 2008 R2

Additional files for all supported IA-64-based versions of Windows Server 2008 R2