Original release date: April 30, 2015
Systems Affected
Networked systems
Overview
Securing end-to-end communications plays an important role in protecting privacy and preventing some forms of man-in-the-middle (MITM) attacks. Recently, researchers described a MITM attack used to inject...
Ref:
http://www.winbeta.org/news/microsoft-confirms-freak-vulnerability-affects-windows-well
If you pop onto the site above it will check whether your browser is vulnerable to attack. Apparently the latest Chrome is fine as is IE (version 11.0.9800.0. the one that comes with win 10 build 9926)
attack
browser
build
chrome
cipher
client systems
encryption
exploit
freak
internet explorer
microsoft
rsa
schannel
security
ssl
tls
update
version
vulnerability
windows
Today, we released Link Removed to provide guidance to customers in response to the SSL/TLS issue referred to by researchers as “FREAK” (Factoring attack on RSA-EXPORT Keys).
Our investigation continues and we’ll take the necessary steps to protect our customers.
MSRC Team
Continue reading...
Severity Rating: Important
Revision Note: V1.1 (March 5, 2015): Advisory revised to clarify the reason why no workaround exists for systems running Windows Server 2003. See the Advisory FAQ for more information.
Summary: Microsoft is aware of a security feature bypass vulnerability in Secure...
Original release date: November 14, 2014
Systems Affected
Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Microsoft Windows XP and 2000 may also be affected.
Overview
A critical vulnerability in...
Original release date: October 17, 2014
Systems Affected
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this...
Revision Note: V1.0 (October 14, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT for the Microsoft Extensible Authentication Protocol...
Revision Note: V1.0 (October 14, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT for the Microsoft Extensible Authentication Protocol...
Revision Note: V1.0 (May 13, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to...
Original release date: April 08, 2014
Systems Affected
OpenSSL 1.0.1 through 1.0.1f
OpenSSL 1.0.2-beta
Overview
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory...
credentials
cve-2014-0160
data exposure
exploit
heartbleed
impact
key material
memory
mitigation
openssl
patch
perfect forward secrecy
public access
public disclosure
revision history
security
security flaw
system administrators
tls
vulnerability
Revision Note: V2.0 (August 10, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-049 to address this issue. For more information about this issue, including...
Severity Rating: Important
Revision Note: V1.1 (July 9, 2013): Bulletin revised to announce a detection change in the Windows Vista packages for the 2655992 update to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their...
Severity Rating: Important
Revision Note: V1.2 (July 9, 2013): Bulletin revised to announce a detection change in the Windows Vista packages for the 2785220 update to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their...
Severity Rating: Important
Revision Note: V1.2 (July 9, 2013): Bulletin revised to announce a detection change in the Windows Vista packages for the 2785220 update to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their...
attacker
bulletin
cybersecurity
detection change
encryption
handshakes
important
microsoft
patch
privately reported
reoffering
security
ssl
tls
update
vulnerability
web traffic
windows
windows vista
Severity Rating: Important
Revision Note: V1.1 (July 9, 2013): Bulletin revised to announce a detection change in the Windows Vista packages for the 2655992 update to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their...
Severity Rating: Important
Revision Note: V1.0 (January 8, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass...
Revision Note: V1.2 (September 11, 2012): Clarified that applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function could be impacted by this update. Examples of these applications and services include but are not limited to encrypted email...
Provides recommendations for organizations that use MS-CHAP v2/PPTP to implement the Protected Extensible Authentication Protocol (PEAP) in their networks. This mitigates known attacks by encapsulating the MS-CHAP v2 authentication traffic in TLS.
More...