Hello Folks:

I have been trying to patch our Windows 2008 R2 x64 vulnerability for months on 

  CVE-2014-0160 TLS Heartbleed Vulnerability

  CVE-2014-0224 OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability

Do you folks got anything that I can use to patch our Window server.

Appreciate if anyone can help.

Hung

Hi,

>> CVE-2014-0160 TLS Heartbleed Vulnerability

Default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.

Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

>>CVE-2014-0224 OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability

From the description on Open SSL site, it is fixed in newer versions.

For detailed information, please refer to the link below:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/b7f064a9-1724-4214-a248-2e21198bcf2b/openssl-ssltls-maninthemiddle-injection-attack-cve20140224?forum=windowsbackup

Best Regards.

I understand that Microsoft Windows uses  SChannel (Not OpenSSL) for its cypher mechanism.  So theorically, it does not apply for any vulnerability pertaining to CVE-2014-0224 & CVE-2014-0160 (Heartbleed). However, in our third party vulnerable scan report (nCircle 360 degrees) that our Windows 2008 R2 x64 server is still impacted by those vulnerabilities.  This means that our server system is still vulnerable to CVE-2014-0224 & CVE-2014-0160 regardless of the original theory.

Evidently, we are still experiencing CVE-2014-0224 & CVE-2014-0160 vulnerabilities.