Microsoft says Windows not immune to FREAK attack

10 Mar 2015

Apple and Google products have been found to be affected by a long-standing vulnerability, caused by a now-defunct US government regulation that prohibited tech companies from using encryption above 512 bits in ''export-grade'' software, to enable the country to maintain a cryptographic edge over others.

Not to be left behind, the Redmond-based company issued a security advisory warning that all supported versions of Microsoft Windows were also affected by FREAK (Factoring attack on RSA-EXPORT Keys), as the SSL/TLS flaw is called.

''Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,'' the advisory read. ''Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.

The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.''

Microsoft's advisory was also confirmed by Freakattack.com, a service that scanned for vulnerabilities to the bug, which ran counter to previous thinking that the bug could not invade Windows systems.

Microsoft said it was not sure if it would need to provide a security update through its normal monthly patch releases or issue what it called an ''out-of-cycle'' security update to protect users.

FREAK attacks could occur when an unsuspecting user operating a compromised machine visited a vulnerable, but supposedly HTTPS-secure website, that had been  downgraded to a weaker 512-bit cipher by an attacker.