The FREAK security bug that allows attackers to conduct man-in-the-middle attacks on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections encrypted using an outmoded cipher has claimed another victim. This time, it is Microsoft's Secure Channel stack.
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," the company said in a security advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."
Although Microsoft Research was part of the team to uncover FREAK alongside European cryptographers, Redmond chose not to reveal Windows as vulnerable until today.
Simon Crosby, CTO and co-founder at endpoint security firm, Bromium, says: "The older your infrastructure, the more likely latent vulnerabilities will surface - as they have in this case. Attackers will exploit any opportunity - and the legacy base is full of holes, so CIOs need to continually upgrade and patch where they can. And that's only the start. Architectures such as micro-virtualization actually stop cyber attacks - even when vulnerabilities remain."