Patch Tuesday patches FREAK, Universal XSS

Today's bumper crop of updates for Windows and other Microsoft products doesn't just fix a new version of the Stuxnet shortcut attack. It also provides fixes to two serious flaws, one in the operating system's handling of secure connections and the other in Internet Explorer.

First up is a fix for the FREAK attack that lets miscreants trick software into using crackable encryption. Windows was initially believed to be immune to the attack, but a couple of days after it was publicized, Microsoft announced that its software was vulnerable, though the company did not explain what it had learned or why Windows was initially believed to be safe.

Today the company issued a patch for SChannel, the Windows component that's responsible for handling the details of SSL and TLS connections. This sheds a little light on why Windows might have been overlooked at first; it suggests that Windows can be tricked into using weak encryption even after agreeing to use strong encryption. The update fixes the hole and, accordingly, software that uses SChannel. This category includes Internet Explorer and most built-in Windows features, but it excludes Chrome and Firefox, which have their own SSL and TLS code.

Read 2 remaining paragraphs | Comments