ALL versions of Microsoft Windows also vulnerable to FREAK security flaw


All computers running Microsoft Windows are vulnerable to the FREAK security flaw, Microsoft has confirmed.

FREAK, which was discovered earlier this week, was only thought to affect Android and Apple’s Safari browser.

However, in this security advisory, Microsoft confirms that encryption protocols used in Windows, namely Transport Layer Security and Secure Sockets Layer, are also vulnerable to the security flaw.

The advisory reads: “Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.

“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”

FREAK is an encryption flaw which has been left undiscovered for the best part of a decade, leaving users vulnerable to potentially having data intercepted when visiting a website.

The vulnerability was only discovered recently when researchers found they could force a website to use weakened encryption which could then easily be hacked. Once hacked, they were able to steal passwords and other personal data.

Researchers claim there is as yet, no evidence to suggest that the vulnerability has been exploited by hackers.

Interestingly, one of the researchers who helped investigate the flaw wrote a blog post blaming the vulnerability on a former policy of the U.S government which prohibited U.S tech companies from exporting the best possible standards of web encryption.

By the time the restriction was lifted in the 1990s, the weaker encryption was already built into Windows and web browsers, as well as in lots of other software used all over the world.

Microsoft said it will rectify the vulnerability either in its weekly patch due to be issued on Tuesday or via a separate security patch.

Source: Microsoft

Via: Ars Technica