Microsoft has issued a security warning about a new bug that could potentially let attackers spy on supposedly secure communications.
The bug, called "Freak" was found in software used to encrypt data passing between web servers and web users.
The flaw was initially only thought to affect a small number of users of Android and Blackberry phones and Apple's Safari web browser. However, Microsoft's warning suggests millions more may be at risk of losing data.
The Freak flaw was discovered by encryption and security expert Karthikeyan Bhargavan and lets attackers force data travelling between a vulnerable site and a visitor to use weak encryption. This makes it easier to access the data and steal sensitive information.
Andrew Avanessian, EVP of Consultancy and Technology Services at Avecto argues that the new flaw highlights the dangers of failing to remove outdated technologies as new ones come along.
"The FREAK attack is clear evidence of how far back the long tail of security stretches. As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build. Several recent vulnerabilities such as POODLE have harnessed this type of weakness, tricking clients into using old, less secure forms of encryption.
"Since we can't predict the future, the best option is to be as secure as technology allows. Organizations should not only be looking at what to add but what to remove as part of a strong patch management and update process. Ultimately, security is a journey not a destination and all aspects need to continuously evolve as you move forward."
