Topic: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code E

[Amker]

General Information
Executive Summary

This critical security update resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows. The Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using an Internet Web browser or used an application that makes use of SSL/TLS. However, attempts to exploit this vulnerability would most likely result in the Internet Web browser or application exiting. The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system.

This is a critical security update for supported editions of Windows XP, important for editions of Windows 2003, and moderate for editions of Windows 2000. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by modifying the way that the client parses server-key exchange data sent from the server. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None

Update Replacement. This security update does not replace a prior security update.