Microsoft Windows also vulnerable to 'FREAK' encryption flaw

Microsoft Windows also vulnerable to 'FREAK' encryption flaw

Computers running all supported releases of Microsoft Windows are vulnerable to "FREAK," a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw.

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems."

Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers.

The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.

"The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor," Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw's origins and effects. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today."

Recommended

How Apple makes encryption easy and invisible

Do you know how many times a day you unlock your iPhone? Every time you do, you’re participating in Apple’s user-friendly encryption scheme. Friday, the company hosted a security “deep dive” at which it shared some interesting numbers about its security measures and philosophy as well as user habits. To be honest, we’re less concerned ...

Apple’s rivals wary of taking stand on encryption issue, against the FBI

As Apple resists the US government in a high profile stand-off over privacy, rival device makers are, for now, keeping a low profile. Most are Asian companies — the region produces eight of every 10 smartphones sold around the world — and operate in a complex legal, political and security landscape. Only China’s Huawei has ...

Apple and FBI to testify before Congress next week over encryption

Over the past few days, Apple has made it abundantly clear that it will not comply with the FBI’s demand that it write a new piece of software to help bypass built-in iPhone security measures. On the contrary, Apple has said that it wants the FBI to withdraw all of its demands while adding that ...

Google CEO Pichai Lends Apple Support on Encryption

Google Chief Executive Sundar Pichai lent support to Apple Inc.'s  pushback against a federal order to help law enforcement break into the locked iPhone of an alleged shooter in the San Bernardino, Calif., attacks. Mr. Pichai wrote on Twitter on Wednesday that “forcing companies to enable hacking could compromise users’ privacy.” A federal judge Tuesday ...

暂无评论

发表评论

您的电子邮件地址不会被公开,必填项已用*标注。

This site uses Akismet to reduce spam. Learn how your comment data is processed.