Microsoft Vulnerabilities......

Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk.

"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft said in the advisory. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

Schannel is a set of Windows protocols that, among other things, accesses the OS's cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security).

FREAK, on the other hand, is the label for the flaw that researchers from INRIA, a French research institute, and Microsoft disclosed Tuesday. The bug could allow attackers to silently force a browser-server connection to fall back to long-discarded encryption standards, those guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services like Amazon's EC2.

The most likely assault would be through a classic "man-in-the-middle" (MITM) attack, where criminals interpose themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.

Microsoft listed every still-supported version of Windows as affected by the bug. Although the advisory did not promise a patch, Microsoft almost certainly will. The next regularly scheduled Patch Tuesday is next week, March 10.

Because Windows harbors the bug, Microsoft's IE browser is also vulnerable to a FREAK attack. (IE relies on Windows' cryptography to implement SSL and TLS.)

http://www.computerworld.com/…/time-for-all-windows-users-t…