Microsoft has revealed that hundreds of millions of Windows computers are vulnerable to an attack which could allow an attacker to remotely take control of their system.

The bug, which was uncovered by Microsoft itself, affects all modern versions of the company's flagship operating system and according to a security advisory from the company, could potentially allow attackers exploiting it to remotely execute code on a victim's machine.

The critical security flaw was revealed by Microsoft on Tuesday as part of November's Patch Tuesday release, which includes a patch for the vulnerability - called MS14–066 - with Microsoft saying it discovered the flaw "internally found during a proactive security assessment".

Microsoft says there is currently no evidence that the vulnerability is being exploited in the wild but without applying the patch, users are at serious risk of being attacked.


Microsoft says there is no workaround or ways to mitigate the attack so applying the patch is vital. While many systems will be patched automatically, some will need to be manually updated and this is where problems will crop up.

It will be of particular importance for IT managers at large enterprises with hundreds if not thousands of machines to update.

The vulnerability affects Windows servers but Microsoft also rates it as critical for client versions of Windows, with versions affected including

  • Windows Server 2003/2008/2012,
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows RT

There is no mention of Windows XP, but considering Microsoft ended support for that version of the software earlier this year, they are unlikely to mention it in new security advisories. Windows XP however still accounts for over 17% of the desktop market according to NetMarketShare.

The vulnerability affects the Microsoft secure channel (SChannel) security component which deals with SSL and TLS security protocol. The flaw "could allow remote code execution if an attacker sends specially crafted packets to a Windows server."

This is the latest vulnerability to hit these security protocols with the most high profile being the Heartbleed flaw in the OpenSSL protocol which was revealed earlier this year and allows attackers to steal sensitive data.