Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.Mitigating Factors
- A server needs to support RSA key exchange export ciphers for an attack to be successful.
- Please see the Suggested Actions section of this advisory for workarounds to disable the RSA export ciphers. Microsoft recommends that customers use these workarounds to mitigate this vulnerability.
Read more here.
Also here.FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection