MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

INTRODUCTION

The update that this article describes has been replaced by a newer update on December 9, 2014. We recommend that you install the most current security update for Windows. To install the most current update, go to the following Microsoft website: To learn more about security bulletin MS14-066:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information

On December 9 2014, Microsoft re-released MS14-066 to comprehensively address CVE-2014-6321 to address issues with Security Update 2992611. Customers running Windows Vista or Windows Server 2008 who installed the 2992611 update prior to the December 9 reoffering should reapply the update.

Known issues in this security update

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, go to the following article in the Microsoft Knowledge Base:

  • Known issue 1

    After you install this security update (or update 3000850), domain users who log on to Windows 8.1 client computers experience the following issues:



    • When you try to add a new account in Windows Live Mail 2012, the new account is not created, and you receive an error message that resembles the following:



      error 0x80090345
    • You cannot save passwords when you use Remote Desktop Connection (RDP). When the problem occurs, you do not receive an error message.
    • You receive an error message that resembles the following when you open the Credential Manager:



      error 0x80090345
    • Windows Explorer may hang (freeze) when you encrypt a file. When the problem occurs, log entries that resemble the following appear in a Windows Performance Analyzer (WPA) trace:



      Explorer taking ~664 seconds to Encrypt a file. TID #3376.
      This is being serviced by LSASS TID #1488.
      LSASS TID#3848 is executing the sspCryptUnprotectData call which leads into GetMasterKey.
      GetMasterKey is taking ~664 seconds (TimesinceLast). LSASS TID 3848. We spend the whole time waiting on LSASS TID 576 which is performing DCLocator pings to find a DC.
      File Encryption delay/hang is also accounted by the same code change where the backup is required.
    To work around this problem, add a DWORD value named ProtectionPolicy that has a value of 1 to the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    When you do this, you enable local backup of the MasterKey instead of requiring an RWDC.

    To do this, follow these steps:



    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following subkey in the registry:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type ProtectionPolicy for the name of the DWORD, and then press Enter.
    5. Right-click ProtectionPolicy, and then click Modify.
    6. In the Value data box, type 1 and then click OK.
    7. Exit Registry Editor, and then restart the computer.
  • Known issue 2

    Some customers have reported an issue that's related to the addition of the following new cipher suites to Windows Server 2008 R2 and Windows Server 2012:
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_GCM_SHA256
    To give customers more control over whether these cipher suites are used in the short term, we are removing them from the default cipher suite priority list in the registry. Customers who customized their cipher suite priority list should review their list after they apply this update to make sure that the sequence meets their expectations.

    Removing these cipher suites does not affect the security updates that are part of this release. On November 18, 2014, a new secondary package was added to the release for Windows Server 2008 R2 and Windows Server 2012 to achieve this. This new package is update 3018238.


    Note for Windows Update, Windows Server Update Services (WSUS), and Microsoft Catalog

    Update 3018238 is installed automatically and transparently together with security update 2992611. Update 3018238 will appear separately in the list of installed updates when it is viewed in the Add Remove Programs item in Control Panel. If you already have security update 2992611 installed, you will notice that security update 2992611 will be reoffered (for Windows Server 2008 R2 or Windows Server 2012 only) by Windows Update or by WSUS to make sure that update 3018238 is also installed. Installing both packages together will require only one restart.

    Note for Download Center customers

    If you downloaded and then installed this security update from the Microsoft Download Center for Windows Server 2008 R2 or Windows Server 2012, we recommend that you reinstall the security update from the Download Center. When you click the Download button, you are prompted to select the updates 2992611 and 3018238. For example, the selection options will resemble the following: selection options
    For Windows 2008 R2-based or Windows Server 2012-based computers that have 2992611 installed, select the check box for 3018238 only, and then click Next to install update 3018238. This update will require a restart.


    For Windows 2008 R2-based or Windows Server 2012-based computers that do not have 2992611 installed, select both check boxes to download 2992611 and 3018238. To apply both updates in a single restart, install 3018238, ignore the restart requirement, and then install 2992611.

    Note The cipher suites that were removed by 3018238 may be re-added to the default priority list in a future release after the community has had an opportunity to make sure of correct execution in all customer scenarios.


    A note about security update 3011780 for Kerberos

    Security update 3011780 (a security update fix for Kerberos that was released on November 18, 2014, and is described in bulletin MS14-068) may be installed together with updates 3018238 and 2992611 at the same time by using any of the distribution methods that were described earlier. When you use this method, only a single restart is required.
  • Known issue 3

    Domain-joined Windows 8.1 computers require RWDC access when they back up the DPAPI master key.

    Symptom

    Domain-joined Windows 8.1 computers require access to a read/write domain controller (RWDC) when they back up the Windows Data Protection API (DPAPI) master key after you install security update 2992611 or update 3000850. A Windows 8.1-based computer that is located in read-only domain controller (RODC)-covered sites experiences errors when it backs up the DPAPI masker key after you install these updates.

    After you install security update 2992611 or update 3000850, the errors and operations that you might encounter include but are not limited to the following:

    • When you try to add a new account in Windows Live Mail 2012, the new account is not created, and you receive an error message that resembles the following:

      error 0x80090345
    • You cannot save passwords when you use Remote Desktop Connection (RDC). When this problem occurs, you do not receive an error message.
    • You receive an error message that resembles the following when you open the Credential Manager:

      error 0x80090345
    • Windows Explorer freezes when you encrypt a file. When this problem occurs, log entries that resemble the following appear in a Windows Performance Analyzer (WPA) trace:

      Explorer taking ~664 seconds to Encrypt a file. TID #3376. 
      This is being serviced by LSASS TID #1488.
      LSASS TID#3848 is executing the sspCryptUnprotectData call which leads into GetMasterKey.
      GetMasterKey is taking ~664 seconds (TimesinceLast). LSASS TID 3848. We spend the whole
      time waiting on LSASS TID 576 which is performing DCLocator pings to find a DC.
      File Encryption delay/hang is also accounted by the same code change where the backup is required.

    Typically, RODCs are deployed in sites that are not as trusted as those that contain RWDCs, such as those in which Administrator role separation is required.Therefore, it makes sense that RODCs do not hold the public or private key locally.

    Workaround

    Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

    Make sure that domain-joined Windows 8.1 computers that install the updates in question are located in RODC-covered sites have network access to writable domain controller. As a workaround, affected Windows 8.1 computers can set the following registry key to enable local backup of the master key:

    Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
    Setting:ProtectionPolicy
    Type:DWORD
    Value:1
Security update deployment

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows Server 2003 file information
Windows Vista and Windows Server 2008 file information
Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information
Windows 8.1 and Windows Server 2012 R2 file information
File hash information
Propriedades

ID do Artigo: 2992611 - Última Revisão: 20/10/2015 - Revisão: 1

Comentários