Microsoft has just issued a patch to deal with a bug that’s been around for 19 years. Is WinShock as dangerous as the Heartbleed bug? Here’s what we know so far about WinShock.
Described as “potentially catastrophic” by Ars Technica, WinShock is a security flaw that affects “virtually all versions of Windows.” This security flaw in the Microsoft secure channel (schannel) security component could allow cyberattackers to target Windows-based servers. Those who run Web or e-mail servers are particularly vulnerable, and should immediately install the security patch for WinShock from Microsoft. This patch was pushed on November 11.
The BBC cites Gavin Millard from Tenable Network Security, who explains that its hard to compare WinShock’s destructive capabilities to Heartbleed:
“Is WinShock as bad as Heartbleed? At the moment, due to the lack of details and proof-of-concept code, it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”
The BBC adds that it was IBM’s security researchers who discovered the WinShock flaw, which had been present in every version of Windows since Windows 95.
WinShock is not the first bug to be compared to Heartbleed in recent months. The recent Shellshock “Bash Bag” has been described by some publications as being more dangerous than the Heartbleed bug that was discovered earlier this year.
Ars Technica stated that “because of its wide distribution, the [Shellshock Bash Bug] vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous.”
Heartbleed was a security flaw that affected about 2/3 of all web servers. Heartbleed was created as the result of a careless accident by programmer Robin Seggelmann. Heartbleed was a flaw in OpenSSL, an open-source encryption technology. Because OpenSSL is used in the “secure” part of websites, Heartbleed was vulnerable to hackers who were looking to steal passwords or personal financial details. What made Heartbleed so scary was the fact that users couldn’t easily tell if their data had been compromised.
The video above offers an explanation of the Heartbleed security flaw that even non-techies can understand. In the video, popular YouTuber Tom Scott breaks down what Heartbleed is, using diagrams and Pokemon references to illustrate his point.