MS14-066 is this Month's Problem Patch

MS14-066 is this Month's Problem Patch

It pretty much goes without saying that with each monthly Update release from Microsoft, there will be reported problems. It's just expected. We've grown sadly numb to the fact.

It was strangely quiet the first couple days, leading many to start thinking Microsoft had finally pulled off a perfect release. But, the calm and tentative silence exploded over the weekend.

Who knows where it truly started, but the first hint of problems came in an advisory from Amazon's AWS team on November 11th but continued with updates through the 14th. It was found that MS14-066 was, indeed, causing issues, particularly in TLS 1.2 and RDS SQL Server instances.

Heading deeper into the weekend, new reports started rolling in from various outlets, bloggers, and reporters that MS14-066 is causing serious performance issues, particularly when client applications uses ODBC to connect to SQL Server tables. One example, is companies using Microsoft Access with a SQL Server backend. A Microsoft Connect ticket has been created for this in the SQL Server area. Additionally, IIS on Windows Server 2012 is affected. Tickets have been opened with Microsoft, and the company's support teams have confirmed the performance issues and are gathering data to test.

The KB article associated with MS14-066 (KB2992611) now clearly defines some known issues with the patch, stating that…

We are aware of an issue in certain configurations in which TLS 1.2 is enabled by default, and TLS negotiations may fail. When this problem occurs, TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive.

The KB article, last updated on November 14th and sitting now at revision 3.0, also provides workarounds for the known issues which entail making registry adjustments to delete specific cipher entries in several different registry paths.

There's a Microsoft forum thread created about the issue, as well. In the thread, customers have also reported that MS14-066 is causing users of the Google Chrome web browser to not be able to establish a secure connection, which results in the inability to reach secure pages. Uninstalling the update seems to fix this particular problem.

Some are suggesting the real problem with this patch is Microsoft's annoying habit of including new features in security updates. If MS14-066 were simply left to patch the major SChannel security flaw, things would've been fine. However, the company decided to also mix security fixes with new features in the update. The FAQ in the original security bulletin answers the question Does this update contain any additional security-related changes to functionality? With…

Yes. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes changes to available TLS cipher suites. This update includes new TLS cipher suites that offer more robust encryption to protect customer information. These new cipher suites all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication.

The patch was labeled as Critical, and intended to fix a huge Remote Code Execution flaw in all versions of Windows. By all accounts the update should be applied immediately due to the potential payload. However, Microsoft continues to shoot itself in the foot, keep customers on their heels, force the public to become continuingly wary of its updates, and cause critical product issues to go unpatched.

UPDATE: IBM is now warning customers using IBM Sterling B2B Integrator and IBM Sterling Filegateway and MS14-066. An IBM advisory says:

This appears due to an incompatibility issue between the Oracle JDK 1.6 and SQL Server JDBC driver revolving around the com.sun.rsajca. Provider JDK security provider. There is currently no workaround for this issue with the OS patch. IBM is reaching out further to Microsoft and monitoring the Microsoft forums to achieve immediate resolution to this issue.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.