Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FREAK Vulnerability Affects All Windows Versions: Microsoft

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

According to Microsoft, the vulnerability exists in Secure Channel (Schannel), a security package that implements the SSL/TLS authentication protocols. An an attacker can exploit the flaw to downgrade an encrypted SSL/TLS session and force client systems to use a weaker, export-grade RSA cipher. Through a man-in-the-middle (MitM) attack, a malicious actor could intercept and decrypt encrypted traffic.

However, Microsoft says there is no evidence to suggest that the vulnerability has been exploited in the wild against its customers.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said in an advisory.

In the meantime, users are advised to disable RSA key exchange ciphers using the Group Policy Object Editor available in Windows Vista and later. This workaround is efficient because an attack can only be launched if the server supports export-grade cipher suites.

FREAK (Factoring attack on RSA-EXPORT Keys) affects several popular cryptographic software libraries, including OpenSSL versions prior to 1.0.1k (CVE-2015-0204), BoringSSL versions released before November 10, 2014, LibReSSL versions prior to 2.1.2, and Apple’s Secure Transport.

Web browsers such as Internet Explorer, Chrome on OS X and Android, Safari on OS X and iOS, the stock Android browser, BlackBerry Browser, and Opera on OS X and Linux are affected. Chrome for OS X has already been patched by Google, and Apple is expected to release patches for Safari next week.

FREAKattack.com, which monitors the status of the vulnerability, reported that more than a third of HTTPS servers with browser-trusted certificates were at risk as of March 3. The list of popular websites affected by the issue as of March 5 included the ones of American Express, 4Shared, GroupOn, MIT, and TalkTalk.

Advertisement. Scroll to continue reading.

Export-grade encryption was introduced in 1990 when the United States government required organizations that distributed cryptography systems outside the country to deliberately weaken the strength of encryption keys.

Today, an attacker could easily recover the private key needed to decrypt communications. According to cryptography expert Matthew Green, the process can be completed in roughly 7.5 hours using Amazon’s EC2 service and it would only cost $104.

Experts advise Web server administrators to disable support for export-grade suits to mitigate the vulnerability. Servers can be tested using the SSL FREAK Check tool or Qualys’ SSL Server Test.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.