# WinShock

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/WinShock
> Markdown URL: https://mediated.wiki/source/WinShock.md
> Source: https://en.wikipedia.org/wiki/WinShock
> Source revision: 1338175237
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Computer security exploit, discovered 2014

WinShock Malware details Technical name MS14-066 Type Exploit (from bug) Isolation date May 2014 Technical details Platforms Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1 Abused exploits Certificate Verification Bypass, Buffer Overflow, Remote Code Execution

**WinShock** is computer [exploit](/source/Exploit_(computer_security)) that exploits a vulnerability in the Windows [secure channel (SChannel) module](/source/Security_Support_Provider_Interface) and allows for remote code execution.[1] The exploit was discovered in May 2014 by [IBM](/source/IBM), who also helped patch the exploit.[2] The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1[3]

## Details

WinShock exploits a vulnerability in the Windows [secure channel (SChannel) security module](/source/Security_Support_Provider_Interface) that allows for remote control of a PC through a vulnerability in [SSL](/source/Transport_Layer_Security), which then allows for remote code execution.[1][4] With the execution of remote code, attackers could compromise the computer completely and gain complete control over it.[5] The vulnerability was given a [CVSS 2.0](/source/CVSSv2) base score of 10.0, the highest score possible.[6]

The attack exploits a vulnerable function in the SChannel module that handles [SSL Certificates](/source/Public_key_certificate).[7] A number of Windows applications such as [Microsoft Internet Information Services](/source/Internet_Information_Services) use the SChannel Security Service Provider to manage these certificates and are vulnerable to the attack.[8]

It was later discovered in November 2014 that the attack could be executed even if the IIS Server was set to ignore SSL Certificates, as the function was still ran regardless. Microsoft Office,[9] and Remote Desktop software in Windows could also be exploited in the same way, even though it did not support SSL encryption at the time.[10]

While the attack is covered by a single [CVE](/source/Common_Vulnerabilities_and_Exposures), and is considered to be a single vulnerability, it is possible to execute a number of different and unique attacks by exploiting the vulnerability including [buffer overflow](/source/Buffer_overflow) attacks as well as certificate verification bypasses.[11]

## Responsibility

The exploit was discovered and disclosed privately to Microsoft in May 2014 by researchers in IBM's X-Force team who also helped to fix the issue.[3] It was later disclosed publicly on 11 November 2014,[1] with a proof-of-concept released not long after.[12]

## See also

- [Heartbleed](/source/Heartbleed), a similar vulnerability.

## References

1. ^ [***a***](#cite_ref-:0_1-0) [***b***](#cite_ref-:0_1-1) [***c***](#cite_ref-:0_1-2) ["MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 - Microsoft Support"](https://support.microsoft.com/en-gb/topic/ms14-066-vulnerability-in-schannel-could-allow-remote-code-execution-november-11-2014-4740940a-5fe0-8d9b-88b5-2e2ca5999537). *support.microsoft.com*. Retrieved 2024-04-28.

1. **[^](#cite_ref-2)** ["WinShock: A 19-year-old bug"](https://www.eset.com/uk/about/newsroom/blog/winshock/). *www.eset.com*. Retrieved 2024-04-28.

1. ^ [***a***](#cite_ref-:1_3-0) [***b***](#cite_ref-:1_3-1) ["Microsoft patches 19-year-old Windows bug"](https://www.cnet.com/tech/services-and-software/microsoft-patches-19-year-old-windows-bug/). *CNET*. Retrieved 2024-06-16.

1. **[^](#cite_ref-4)** Mayer, Wilfried; Zauner, Aaron; Schmiedecker, Martin; Huber, Markus (2016-08-31). "No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large". *2016 11th International Conference on Availability, Reliability and Security (ARES)*. pp. 10–20. [arXiv](/source/ArXiv_(identifier)):[1510.08646](https://arxiv.org/abs/1510.08646). [doi](/source/Doi_(identifier)):[10.1109/ARES.2016.11](https://doi.org/10.1109%2FARES.2016.11). [ISBN](/source/ISBN_(identifier)) [978-1-5090-0990-9](https://en.wikipedia.org/wiki/Special:BookSources/978-1-5090-0990-9).

1. **[^](#cite_ref-5)** ["CERT/CC Vulnerability Note VU#505120"](https://www.kb.cert.org/). *www.kb.cert.org*. Retrieved 2024-06-16.

1. **[^](#cite_ref-6)** ["NVD - CVE-2014-6321"](https://nvd.nist.gov/vuln/detail/CVE-2014-6321). *nvd.nist.gov*. Retrieved 2024-06-16.

1. **[^](#cite_ref-7)** Czumak, Mike (2014-11-29). ["Exploiting MS14-066 / CVE-2014-6321 (aka "Winshock")"](https://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/). *Security Sift*. Retrieved 2024-06-16.

1. **[^](#cite_ref-8)** ["Triggering MS14-066 | BeyondTrust Blog"](https://www.beyondtrust.com/blog/entry/triggering-ms14-066). *BeyondTrust*. Retrieved 2024-06-16.

1. **[^](#cite_ref-9)** ["Microsoft fixes '19-year-old' bug with emergency patch"](https://www.bbc.com/news/technology-30019976). *BBC News*. 2014-11-12. Retrieved 2024-06-16.

1. **[^](#cite_ref-10)** Hutchins, Marcus (2014-11-19). ["How MS14-066 (CVE-2014-6321) is More Serious Than First Thought – MalwareTech"](https://malwaretech.com/2014/11/how-ms14-066-winshock-is-worse-than.html). *malwaretech.com*. Retrieved 2024-06-16.

1. **[^](#cite_ref-11)** Group, Talos (2014-11-11). ["Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities"](https://blogs.cisco.com/security/talos/ms-tuesday-nov-2014). *Cisco Blogs*. Retrieved 2024-06-16. {{[cite web](https://en.wikipedia.org/wiki/Template:Cite_web)}}: |last= has generic name ([help](https://en.wikipedia.org/wiki/Help:CS1_errors#generic_name))

1. **[^](#cite_ref-12)** Leyden, John. ["WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed"](https://www.theregister.com/2014/11/17/ms_schannel_crypto_poc/). *www.theregister.com*. Retrieved 2024-06-16.

## External links

- [Microsoft Security Bulletin Entry](https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-066)

- [National Vulnerability Database Entry](https://nvd.nist.gov/vuln/detail/CVE-2014-6321)

- [CVE-2014-6321](https://www.cve.org/CVERecord?id=CVE-2014-6321)

v t e Hacking in the 2010s ← 2000s Timeline of security hacking incidents Timeline of computer viruses and worms 2020s → Major incidents 2010 Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback Operation Socialist 2011 Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise 2012 LinkedIn hack Stratfor email leak Operation High Roller 2013 South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks 2014 Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach 2015 Office of Personnel Management data breach HackingTeam Ashley Madison data breach TalkTalk data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack 2016 Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack 2017 SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Equifax data breach Deloitte breach Disqus breach 2018 Trustico Atlanta cyberattack British Airways data breach SingHealth data breach 2019 Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident Hacktivism Anonymous associated events CyberBerkut GNAA Goatse Security Lizard Squad LulzRaft LulzSec New World Hackers NullCrew OurMine PayPal 14 RedHack Teamp0ison TDO UGNazi Ukrainian Cyber Alliance Groups Appin Bangladesh Black Hat Hackers Bureau 121 Charming Kitten Cozy Bear Dark Basin DarkMatter Elfin Team Equation Group Fancy Bear GOSSIPGIRL (confederation) Guccifer 2.0 Hacking Team Helix Kitten Iranian Cyber Army Islamic State Hacking Division Lazarus Group BlueNorOff AndAriel Lords of Dharmaraja NSO Group Numbered Panda PLA Unit 61398 PLA Unit 61486 PLATINUM Pranknet Red Apollo Rocket Kitten Stealth Falcon Syrian Electronic Army Tailored Access Operations The Shadow Brokers xDedic Yemen Cyber Army Individuals Ryan Ackroyd Mustafa Al-Bassam Kim Anh Vo George Hotz Guccifer Elliott Gunton Jeremy Hammond Sam Hocevar Junaid Hussain MLT Sabu Track2 Topiary The Jester Major vulnerabilities publicly disclosed Evercookie (2010) iSeeYou (2013) Heartbleed (2014) Shellshock (2014) POODLE (2014) Rootpipe (2014) Row hammer (2014) SS7 vulnerabilities (2014) WinShock (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016) Dirty COW (2016) Cloudbleed (2017) Broadcom Wi-Fi (2017) EternalBlue (2017) DoublePulsar (2017) Silent Bob is Silent (2017) KRACK (2017) ROCA vulnerability (2017) BlueBorne (2017) Meltdown (2018) Spectre (2018) EFAIL (2018) Exactis (2018) Speculative Store Bypass (2018) Lazy FP state restore (2018) TLBleed (2018) SigSpoof (2018) Foreshadow (2018) Dragonblood (2019) Microarchitectural Data Sampling (2019) BlueKeep (2019) Kr00k (2019) Malware 2010 Bad Rabbit Black Energy 2 Blackshades Coreflood Kelihos Stuxnet 2011 Citadel Andromeda Alureon Duqu Gameover ZeuS Metulji botnet Stars ZeroAccess botnet 2012 Alina Carna Dexter Dridex FBI MoneyPak Flame Grum Mahdi Red October Shamoon 2013 BlackPOS CryptoLocker DarkSeoul Havex 2014 Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 Emotet FinFisher Gameover ZeuS Kronos Regin 2015 CenterPOS Hidden Tear Kasidet Rombertik TeslaCrypt Project Sauron 2016 FastPOS Hitler Industroyer Jigsaw KeRanger Locky Necurs MEMZ Mirai Pegasus Petya and NotPetya Philadelphia PunkeyPOS X-Agent 2017 BrickerBot Kirk LogicLocker Rensenware Triton WannaCry Xafecopy 2018 Annabelle Joanap VPNFilter 2019 R2D2 Tiny Banker Titanium

---
Adapted from the Wikipedia article [WinShock](https://en.wikipedia.org/wiki/WinShock) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/WinShock?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.