According to a security advisory Redmond, Washington-based Microsoft Corporation, Apple and Google products are not the only ones vulnerable to FREAK (Factoring attack on RSA-EXPORT Keys) attack technique. The weakness originates from an out of date US government legislation that urged technological companies to utilize encryption that was no more powerful than 512 bits in “export-grade” software. Microsoft announced that every supported version of Microsoft Windows is also affected by FREAK.
The release states: Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
Microsoft reports that it is presently working on a solution. It may be a part of one of their future “Patch Tuesday” bundle. It could also be part of a future out-of-band security update.
Meanwhile Microsoft suggests that customers who use Windows Vista or later software “disable RSA key exchange ciphers using the Group Policy Object Editor”. This will mitigate the potential threat.
The FREAKattack website features a list of numerous vulnerable domains and browsers. Affected browsers include: Internet Explorer, Chrome for Mac, Chrome for Android, Safari for iOS, Safari for Mac, the stock Android browser, Blackberry browser, Opera for Linux and Opera for Mac. Users can also check the site to learn if their specific browser is vulnerable.
The website warns: “The FREAK attack is possible when a vulnerable browser connects to a susceptible web server—a server that accepts ‘export-grade’ encryption.” Experts agree the vulnerability could be used in order to “intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”
FREAK Affects Apple, Google And Microsoft