CVE-2014-4114 and CVE-2014-3566

??

Those who are concerned about security over the past two days will pay special attention to these two new vulnerabilities: CVE-2014-4114 and CVE-2014-3566. The following is a brief description of these two vulnerabilities.

CVE-2014-4114
-------------------------

This vulnerability has been fixed in the MS14-060 update released this week, and we recommend that users deploy and install this security update as soon as possible to prevent potential threats. This vulnerability exists in the processing of OLE embedded objects in windows. Although it is an operating system vulnerability, the most common carrier is files that support OLE objects, such as office documents. As a mitigation and security best practice, we recommend that all users do not directly open documents such as office and PDF that are sent or shared by strangers when opening any document with unknown sources. For more technical analysis on this vulnerability, refer to http://www.freebuf.com/news/46956.html.

CVE-2014-3566
-------------------------

When the vulnerability was first exposed, many people compared it with the recent OpenSSL heartbleed vulnerability, and thought it was more harmful than heartbleed. However, this is not the case. At present, the main harm of CVE-2014-3566 is the leakage of user information in SSL encryption channel, such as cookie, however, to achieve this attack, attackers must first intercept communication between the client and the server in the user's network environment. Then, the attacker must send a large number of requests to obtain the complete content of a cookie, theoretically, a single byte of information can be obtained by sending 256 requests. Therefore, the attack implementation efficiency is not very good. For more information about the vulnerability, see http://drops.wooyun.org/papers/3194.

This is an information leakage vulnerability dedicated to SSL 3.0. TLS is not affected. Because SSL 3.0 is an industry security protocol, it affects not only Microsoft's Windows systems, but also all other systems and applications that support SSL 3.0. It is precisely because this is a security vulnerability in industry protocol standards that cannot be easily fixed. Microsoft cannot directly release an update to change the processing method of the SSL 3.0 protocol. For the SSL 3.0 Protocol, many vendors and standard organizations are required to make the most appropriate decisions. Microsoft does not plan to disable SSL 3.0 in Windows because a large number of servers cannot support TLS but only SSL, therefore, disabling SSL 3.0 is bound to cause a large number of compatibility problems. For common users, we still disable SSL 3.0 as a measure to mitigate this vulnerability. After disabling SSL 3.0, the client does not have to worry about information leakage due to this vulnerability. However, if you find that some HTTPS websites cannot be accessed, it is likely that the website only supports SSL. For details about how to disable SSL 3.0 in Windows or IE, refer to Microsoft Security Bulletin 3009008.

Cheng Ling

Microsoft Greater China Security Project Manager

CVE-2014-4114 and CVE-2014-3566