The latest IT news reveals that all computers working on all supported versions of Microsoft Windows OS and products are vulnerable to “FREAK” encryption bug. Reportedly, it is a decade-old encryption flaw due to which there are possibilities of electronic communications of Windows users getting intercepted while surfing different websites on the Internet.
Earlier, it was supposed that the flow is related only to Apple’s Safari and Google’s Android browsers. However, later on, Microsoft reported all supported versions of Windows, including Server products like Secure Sockets Layer and its successor Transport Layer Security to be vulnerable to FREAK attacks.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Microsoft said in the advisory. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.”
Moreover, Microsoft also said it will most probably address the flaw in its Patch Tuesday update as per its regular schedule or releasing a patch out-of-the-cycle. Meanwhile, Microsoft suggested to disable the RSA export ciphers. Read the information about how to disable the RSA key exchange ciphers and specify the ciphers that Windows should use by performing the required steps.
However, the FREAK (Factoring RSA Export Keys) vulnerability was found before a few weeks when a team of researchers came to know they were able to force websites to use intentionally weakened encryption, which they could break within a short time. After cracking the encryption of a website, it was possible for hackers to steal important data like passwords and capture elements on the page.
Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.
At present, Chrome for OS X happens to be the only browser for which a patch already exists. Where as, Safari for iOS and OS X will be patched now. However, Mozilla Firefox does not appear to be affected by FREAK attacks. While there is a long list of the affected browsers which include Chrome for Android, the stock Android browser, BlackBerry OS browser, Opera for Linux and OS X and Internet Explorer.
It is noteworthy that the FREAK vulnerability is actually linked with the US government’s prohibition on exports of software featuring strong encryption in the early 1990s, where only 512-bit RSA keys were permitted for export. Out of more than 14 million sites scanned for the FREAK vulnerability, more than 36 percent of them were found to be affected.
Looking to the fact that most computers use Microsoft Windows OS versions, releasing a patch to overcome this vulnerability should be one of the most important tasks for Microsoft. Fortunately, according to Microsoft, there were no FREAK attacks undertaken before releasing that security advisory.
Latest posts by Rahul Vaghasia (see all)
(Visited 5 times, 1 visits today)