How could Microsoft be left behind? Apple and Google products were found to be affected by a longstanding vulnerability which stems from a now-defunct U.S. government regulation enjoining tech companies to use encryption no stronger than 512 bits in “export-grade” software which they could maintain a cryptographic edge over its rivals, a few days back. A security advisory was issued to warn that all supported versions of Microsoft Windows are also affected by FREAK (Factoring attack on RSA-EXPORT Keys) as it is called by SSL/TLS flaw.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” reads the advisory. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
The company says it’s currently working on a fix, which could come either as part of a future Patch Tuesday bundle or in the form of an out-of-band security update. In the meantime, the company recommends that those running Windows Vista or later “disable RSA key exchange ciphers using the Group Policy Object Editor” in order to mitigate the threat. The entire procedure can be found here.
A list of vulnerable browsers and popular domains is available at FREAKattack.com. The affected browsers are Internet Explorer, Chrome for Mac (patch available), and Chrome for Android, Safari for Mac (patch likely in a week), Safari for iOS (patch likely in a week), stock Android browser, Blackberry browser, Opera for Mac and Opera for Linux. Maintained by computer scientists at the University of Michigan, the site also lets users check if their browser is vulnerable or maybe flexible.
“The FREAK attack,” the site warns, “is possible when a vulnerable browser connects to a susceptible web server—a server that accepts ‘export-grade” encryption.’” According to the researchers, an attacker could use the vulnerability to “intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”