It is confirmed, all Microsoft windows versions are susceptible to the recent FREAK vulnerability. Microsoft said it is "actively working" with its Microsoft Active Protections Program partners to protect its users from FREAK, and once the investigation get over, it would "take the appropriate action to help protect customers." So, Windows users can either expect an out-of-band patch or a security bulletin released on a regular Patch Tuesday. Recently discovered FREAK vulnerability that apparently went undetected for more than a decade is reportedly affecting all supported versions of Microsoft Windows, making the flaw more creepy than what we thought. FREAK vulnerability is a disastrous SSL/TLS flaw disclosed Monday that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then supposedly conduct Man-in-the-Middle attacks on encrypted HTTPS-protected traffic passing between vulnerable end-users and Millions of websites. FREAK IN MICROSOFT RESIDES IN SECURE CHANNEL Microsoft issued an advisory published Thursday warning Windows users that Secure Channel (Schannel) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack, though it said it has not received any reports of public attacks. When the security glitch first discovered on Monday, it was believed that the Windows system was immune to FREAK attacks. But now if you're the one using Windows, attackers on your network could force the software using Schannel component such as Internet Explorer to use weak encryption over the web. FREAK ENCRYPTION-DOWNGRADE ATTACK FREAK — short for Factoring attack on RSA-EXPORT Keys — made it significantly easier for hackers and cyber criminals to easily decode intercepted HTTPS connections, revealing sensitive information such as login passwords, login cookies, and even banking information. However, this is only possible if the website or service at the other end is still supporting 1990s-era "export-grade" cryptography or 512-bit RSA, which were approved by the U.S. government for overseas export. It was assumed that most servers no longer supported weak 512-bit RSA keys, but unfortunately, Millions of websites and services are still available on the Internet using them. Source: http://thehackernews.com/2015/03/freak-openssl-vulnerability_5.html