Security Experts:

Connect with us

Hi, what are you looking for?



FREAK Vulnerability Affects All Windows Versions: Microsoft

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

According to Microsoft, the vulnerability exists in Secure Channel (Schannel), a security package that implements the SSL/TLS authentication protocols. An an attacker can exploit the flaw to downgrade an encrypted SSL/TLS session and force client systems to use a weaker, export-grade RSA cipher. Through a man-in-the-middle (MitM) attack, a malicious actor could intercept and decrypt encrypted traffic.

However, Microsoft says there is no evidence to suggest that the vulnerability has been exploited in the wild against its customers.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said in an advisory.

In the meantime, users are advised to disable RSA key exchange ciphers using the Group Policy Object Editor available in Windows Vista and later. This workaround is efficient because an attack can only be launched if the server supports export-grade cipher suites.

FREAK (Factoring attack on RSA-EXPORT Keys) affects several popular cryptographic software libraries, including OpenSSL versions prior to 1.0.1k (CVE-2015-0204), BoringSSL versions released before November 10, 2014, LibReSSL versions prior to 2.1.2, and Apple’s Secure Transport.

Web browsers such as Internet Explorer, Chrome on OS X and Android, Safari on OS X and iOS, the stock Android browser, BlackBerry Browser, and Opera on OS X and Linux are affected. Chrome for OS X has already been patched by Google, and Apple is expected to release patches for Safari next week., which monitors the status of the vulnerability, reported that more than a third of HTTPS servers with browser-trusted certificates were at risk as of March 3. The list of popular websites affected by the issue as of March 5 included the ones of American Express, 4Shared, GroupOn, MIT, and TalkTalk.

Export-grade encryption was introduced in 1990 when the United States government required organizations that distributed cryptography systems outside the country to deliberately weaken the strength of encryption keys.

Today, an attacker could easily recover the private key needed to decrypt communications. According to cryptography expert Matthew Green, the process can be completed in roughly 7.5 hours using Amazon’s EC2 service and it would only cost $104.

Experts advise Web server administrators to disable support for export-grade suits to mitigate the vulnerability. Servers can be tested using the SSL FREAK Check tool or Qualys’ SSL Server Test.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.