Some users who have installed the MS14-066 patch that fixes a vulnerability in the Schannel technology in Windows are having issues with the fix causing TLS negotiations to fail in some circumstances.
The problem arises when users have TLS 1.2 enabled in certain configurations and it will sometimes cause processes to hang or become unresponsive from time to time. Microsoft said it’s aware of the issue and is recommending that users who run into the problem disable support for several of the new cipher suites that the MS14-066 patch adds to Windows.
“We are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail. When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive,” Microsoft said in a Knowledge Base article.
Microsoft recommends that users delete these ciphers from the registry:
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
The MS14-066 patch fixes a vulnerability in every supported version of Windows that involves the way that Schannel handles certain requests. Schannel is the SSL/TLS implementation in Windows and the vulnerability is remotely exploitable.
“A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets,” Microsoft said in its advisory.