Severity Rating: Important
Revision Note: V1.1 (March 5, 2015): Advisory revised to clarify the reason why no workaround exists for systems running Windows Server 2003. See the Advisory FAQ for more information.
Summary: Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation of the vulnerability has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally issued, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers. Technologies and best practices that protect against man-in-the-middle (MiTM) attacks similarly mitigate the risks associated with the vulnerability.