Friday, March 6, 2015

Microsoft reveals Windows vulnerable to FREAK SSL flaw

Summary:Redmond has said that the FREAK security flaw is found in versions of its Windows operating system from Windows Server 2003, Windows Vista, and higher.

By Chris Duckett | March 6, 2015 -- 03:12 GMT (19:12 PST)
Get the ZDNet Security newsletter now

The FREAK security bug that allows attackers to conduct man-in-the-middle attacks on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections encrypted using an outmoded cipher has claimed another victim. This time, it is Microsoft's Secure Channel stack.

"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," the company said in a security advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."

Although Microsoft Research was part of the team to uncover FREAK alongside European cryptographers, Redmond chose not to reveal Windows as vulnerable until today.

"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers," the company said.

Microsoft said it is "actively working" with its Microsoft Active Protections Program partners to protect them, and once it has completed an investigation, it would "take the appropriate action to help protect customers".

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," Microsoft said.

Affected versions of Windows include Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and Windows RT.