TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)

Systems Affected

  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Vista SP2
  • Microsoft Windows Server 2008 SP2
  • Microsoft Windows Server 2008 R2 SP1
  • Microsoft Windows 7 SP1
  • Microsoft Windows 8
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows RT
  • Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.


A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]


Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]


This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]


Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]


Revision History

  • November 14, 2014: Initial Release



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s