Microsoft has uncovered a flaw in all supported versions of Microsoft Windows that could allow hundreds of millions of computers to be taken over by a remote attacker, International Business Times reports.
Microsoft has uncovered a flaw in all supported versions of its Windows Operating System that could allow hundreds of millions of computers to be taken over by a remote attacker, International Business Times reports. A patch was released on Tuesday to fix the issue, though it appears the exploit has not been used in an attack as of yet.
The flaw was discovered by Microsoft “during a proactive security assessment.” The Security Advisory from the company explains that the exploit could allow attackers to remotely execute code on a computer running all modern versions of Windows: 2003, 2008 and 20012 versions of Windows Server, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows RT.
There was no mention of earlier versions, but given Microsoft stopped supporting Windows XP last year, IBTimes suggests they “are unlikely to mention it in new security advisories”.
The patch, which was released on Tuesday, fixes an exploit in the Microsoft Secure Channel (‘schannel’) which deals with security protocols including encrypted communication for internet applications that use HTTP. Ars Technica explains that “a failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.” As such, unpatched computers that run email or web servers are thought to be especially vulnerable.
“The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets,” details Microsoft in its Security Bulletin.
Mashable writes that to date “there has been no indication that the vulnerability has been used to attack the general public,” and the patch will come as part of a Windows Update. “Anyone who uses a Windows computer—especially if it runs a Web or e-mail server—should ensure Tuesday’s update is installed immediately,” urges Ars Technica.