FREAK Out! Newly Discovered Encryption Flaw Also Affects Windows Users
Bad news, Windows users. Remember that old bit of code that was causing new headaches for iOS and Android device owners? Dubbed "FREAK," it was initially thought that the exploit only affected some mobile browsers, but that's no longer the case. Microsoft has issued a security advisory (3046015) warning that FREAK also affects all supported releases of Windows.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The flaw stems from an old U.S. government policy that disallowed strong encryption on products shipping to foreign customers. Those restrictions were lifted in the late 1990s, but the weaker encryption found its way into a wide range of software around the world, including for products in the U.S. It wasn't until recently that security researchers noticed it.
Hackers up to no good could force browsers to use the inferior encryption, which could then be cracked within a matter of hours. And once they've cracked the encryption, your personal information is up for grabs.
Microsoft said that when it completes its investigation, it will "take the appropriate action to help protect customers," which could include an out-of-cycle security update.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The flaw stems from an old U.S. government policy that disallowed strong encryption on products shipping to foreign customers. Those restrictions were lifted in the late 1990s, but the weaker encryption found its way into a wide range of software around the world, including for products in the U.S. It wasn't until recently that security researchers noticed it.
Hackers up to no good could force browsers to use the inferior encryption, which could then be cracked within a matter of hours. And once they've cracked the encryption, your personal information is up for grabs.
Microsoft said that when it completes its investigation, it will "take the appropriate action to help protect customers," which could include an out-of-cycle security update.
