Microsoft has revealed that hundreds of millions of Windows computers are vulnerable to an attack which could allow an attacker to take over their computer. Redmond found the flaw itself and said that it affects all modern versions of the company's flagship operating system.
It affects the Microsoft secure channel (SChannel) security component which deals with SSL and TLS security protocol. The flaw "could allow remote code execution if an attacker sends specially crafted packets to a Windows server." The critical security flaw was revealed by Microsoft as part of November's Patch Tuesday release, which includes a patch for the vulnerability - called MS14–066 - with Microsoft saying it discovered the flaw "internally found during a proactive security assessment.”
So far there has been no exploit for the flaw in the wild but users are at serious risk of being attacked if they do not apply the patch. Microsoft says there is no workaround or ways to mitigate the attack so applying the patch is vital. While many systems will be patched automatically, some will need to be manually updated and this is where problems will crop up.
The vulnerability affects Windows servers but Microsoft also rates it as critical for client versions of Windows, with versions affected including Windows Server 2003/2008/2012, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows RT.
This is the latest vulnerability to hit these security protocols with the most high profile being the Heartbleed flaw in the OpenSSL protocol which was revealed earlier this year and allows attackers to steal sensitive data.