<< Back
CVE Number Vulnerability Product Severity Date
MS10-085 Vulnerability in SChannel Could Allow Denial of Service (2207566) Windows 7 Critical 13-10-2010

Technical Information

Brief overview of the risk:
This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow denial of service if an affected Internet Information Services (IIS) server hosting a Secure Sockets Layer (SSL)-enabled Web site received a specially crafted packet message. By default, IIS is not configured to host SSL Web sites.
Detailed Information on the risk:

A denial of service vulnerability exists in the way that SChannel processes client certificates in implementations of Internet Information Services (IIS) 7.0 on Windows Server 2008 and Windows Vista, and in IIS 7.5 on Windows Server 2008 R2 and Windows 7. A remote, anonymous attacker could send a specially crafted network packet to the affected system that would cause the LSASS service to stop responding and the system to restart. Systems are only affected if SSL is enabled, which is not a default configuration.


Further information on this exploit is available at : MS10-085

Affected Software

Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for x64-based Systems*
Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2