Vulnerabilities in SChannel could allow remote code execution
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site. The security update addresses the vulnerabilities by implementing RFC 5746 and additional validation on SSL responses returned by a server.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB980436.