Image courtesy of Gizmodo
It would be no surprise at all if some future politician decides that computer system security flaws are natural disasters; after all, 2014 has proven to be a year of reoccurring hacks, exploits, and loopholes — almost like reoccurring natural disasters. Joining the pantheon of system-crippling bugs made of Heartbleed, Stuxnet, and ShellShock is a new bug that’s been present in every Windows system since Windows 95 until it was finally nullified by Microsoft’s most recent batch of security updates this month.
The bug — called WinShock by some — could allow hackers to exploit a bug to conducting a drive-by attack and remotely take over a user's computer. In non-industry terms, drive-by attacks occur when users are tricked into downloading a fragment of malicious code by clicking on phony pop-ups that bear a close resemblance to Windows pop-ups. Typically, these attacks are browser-based and easily recognizable by people with appropriate security knowledge, but the WinShock bug exploits the back end, allowing hackers to avoid browsers altogether.
In terms of the Common Vulnerability Score System (CVSS), a measure of computer security severity, WinShock receives a whopping 9.3 out of a possible 10, making it in every user’s best interest to patch the loophole immediately. Security experts liken WinShock’s severity to that of Heartbleed as WinShock also piggybacks off vulnerabilities in SSL (Secure Sockets Layers), the technology used to transfer encrypted data.
“[The bug] was sitting in plain sight,” states Robert Freeman, one of the IBM researchers who discovered the bug. Microsoft has known about IBM’s discovery since May 2014, but like the USPS, chose to recognize the bug only after a proper fix could be issued.
Unfortunately, traces of WinShock have also been discovered in Microsoft’s Windows Server platforms, or more specifically, in the Microsoft Secure Channel (Schannel) – the software used to implement secure data transfer. This vulnerability can potentially compromise the security of all websites handling encrypted data piggybacking off the Windows Server platform.
“Is WinShock as bad as Heartbleed? At the moment, due to the lack of details and proof-of-concept code, it's hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them,” states Gavin Millard from the Tenable Network Security to the BBC .
It is worth noting that there’s currently zero evidence of WinShock being exploited in the wild, but attacks will be imminent now that the issue has been publicized. Any computer lacking nullifying patch is open to attack.
Learn more about Electronic Products Magazine