In what may come as a surprise to some, IBM just announced that it has worked with Microsoft to patch a security exploit found in its OS called WinShock — and the scariest news is that this has been a vulnerability through all Windows operating systems since Windows 95!* This bug has been a part of all of our beloved Microsoft OSes for 19 years!
IBM initially discovered the bug back in May. However, Microsoft chose not to go public until a patch was in place. Microsoft has just released 14 patches as part of its ‘Patch Tuesday’ updates (Tuesday is when Microsoft releases patches for its OSes) to address the WinShock bug. Another two patches are also on the way. To get the latest updates, type ‘Windows update’ in your search bar (if you have anything Vista or later) and install the important patches.
If you would like to read Microsoft’s Security Bulletin on the WinShock bug, you can do so here: https://technet.microsoft.com/library/security/ms14-nov
The bug is introduced through Microsoft’s schannel, which is Microsoft’s way of securing the transfer of data. However, WinShock not only affects the OS, it also affects Microsoft Office products and Microsoft servers. If you are hosting a website that sends encrypted traffic, you are going to want to update as soon as possible. Even though there is no proof that this bug has affected anyone, it was still rated 9.3 out of 10 on the CVSS, so all server administrators should consider this just as important and severe as the latest bugs that have been identified (i.e. Heartbleed, Shellshock, etc.)
For more information on how to protect your environment against the WinShock bug, call Everon at 1-888-244-1748.
*The WinShock bug does not affect Windows phones or tablets, as they do not use schannel.