This is the Trace Id: c23ffcff812366cc3eae86886bcf43e2
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

MS10-049: A remote Code Execution vulnerability in SChannel, CVE-2010-2566

Security Research & Defense
/ By swiat /

In MS10-049, we are also addressing a second vulnerability, CVE-2010-2566. This is a vulnerability in schannel.dll which can potentially lead to Remote Code Execution. The vulnerability is present only in Windows XP and Windows Server 2003, and does not affect Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

This vulnerability is present in the code that validates client certificate requests sent by the server. An attacker could set up a malicious TLS or SSL-enabled server, and convince a user to connect to it using a Windows client application.

A malicious server could then respond with a specifically crafted message in a way that induces heap corruption on the client, leading to a crash of the Local Security Authority Subsystem Service (LSASS). Theoretically, this is an exploitable condition, and the attacker could then arbitrary code as LocalSystem.

A detailed investigation by our team, however, has indicated that the attacker has very little control over what is written to the heap. This vulnerability has an Exploitability Index rating of 2, which indicates we believe it’s unlikely that reliable exploit code will be published within 30 days.

We do recommend customers to install this update, especially because it is difficult to build on-the-wire mitigation against this issue. In the TLS handshake protocol, the client certificate is usually requested inside the existing encrypted TLS channel. This makes it difficult for firewalls and intrusion prevention systems to successfully detect and block an attack.

Acknowledgements

Thanks to Mark Wodrich and Bruce Dang from the MSRC Engineering team for their contribution to this blog post.

Cheers,
-Maarten Van Horenbeeck, MSRC Program Manager

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads