MS14-066 ⇥ technet.microsoft.com

From Microsoft TechNet:

This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This security update is rated Critical for all supported releases of Microsoft Windows.

[…]

When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

No time to gloat; this is properly scary. This remote code execution vulnerability exists in pretty much all versions of Windows since 95, and it requires almost no user interaction beyond using Internet Explorer to go to the wrong website. And it’s about to get scarier because that last line — the bit about it not being used in the wild — has just changed.

Patch up.