Schannel zero-day exploit released

Original researcher makes public his own exploit code.

Only hours after Microsoft released a patch for the Windows Schannel Security Package, the researcher who discovered the vulnerability, Thomas Lim of COSEINC, released a public exploit for it. According to Microsoft, the Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page or used an application that makes use of SSL/TLS.

In an e-mail to the Full Disclosure mailing list, Lim said that he discovered the vulnerability on August 28, 2006, and reported it to Microsoft on March 19, 2007. Researchers typically, although not always give a vendor time to patch a vulnerability. Once the vulnerability has been patched by the vendor, a researcher may make an exploit public to help system administrators test the patch and to minimize its value on the black market.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Top-rated reviews of the week (pictures)
    Best iPhone 6 and iPhone 6 Plus cases
    Make your own 'Star Wars' snowflakes (pictures)
    Bento boxes and gear for hungry geeks (pictures)
    The best tech products of 2014
    Does this Wi-Fi-enabled doorbell Ring true? (pictures)