Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FREAK Vulnerability Affects All Windows Versions: Microsoft

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

Initially, experts believed that the recently disclosed SSL/TLS vulnerability dubbed “FREAK” doesn’t affect Windows, but Microsoft confirmed on Thursday that all supported versions of its operating system are impacted.

According to Microsoft, the vulnerability exists in Secure Channel (Schannel), a security package that implements the SSL/TLS authentication protocols. An an attacker can exploit the flaw to downgrade an encrypted SSL/TLS session and force client systems to use a weaker, export-grade RSA cipher. Through a man-in-the-middle (MitM) attack, a malicious actor could intercept and decrypt encrypted traffic.

However, Microsoft says there is no evidence to suggest that the vulnerability has been exploited in the wild against its customers.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said in an advisory.

In the meantime, users are advised to disable RSA key exchange ciphers using the Group Policy Object Editor available in Windows Vista and later. This workaround is efficient because an attack can only be launched if the server supports export-grade cipher suites.

FREAK (Factoring attack on RSA-EXPORT Keys) affects several popular cryptographic software libraries, including OpenSSL versions prior to 1.0.1k (CVE-2015-0204), BoringSSL versions released before November 10, 2014, LibReSSL versions prior to 2.1.2, and Apple’s Secure Transport.

Web browsers such as Internet Explorer, Chrome on OS X and Android, Safari on OS X and iOS, the stock Android browser, BlackBerry Browser, and Opera on OS X and Linux are affected. Chrome for OS X has already been patched by Google, and Apple is expected to release patches for Safari next week.

FREAKattack.com, which monitors the status of the vulnerability, reported that more than a third of HTTPS servers with browser-trusted certificates were at risk as of March 3. The list of popular websites affected by the issue as of March 5 included the ones of American Express, 4Shared, GroupOn, MIT, and TalkTalk.

Advertisement. Scroll to continue reading.

Export-grade encryption was introduced in 1990 when the United States government required organizations that distributed cryptography systems outside the country to deliberately weaken the strength of encryption keys.

Today, an attacker could easily recover the private key needed to decrypt communications. According to cryptography expert Matthew Green, the process can be completed in roughly 7.5 hours using Amazon’s EC2 service and it would only cost $104.

Experts advise Web server administrators to disable support for export-grade suits to mitigate the vulnerability. Servers can be tested using the SSL FREAK Check tool or Qualys’ SSL Server Test.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.