Windows PCs At Risk From FREAK Encryption Flaw

All supported releases of Microsoft Windows are affected by the FREAK security flaw, as well as iOS and Android mobile devices, according to Microsoft.

The flaw was initially thought to just impact some users of Android and Blackberry phones, and Apple’s Safari web browser.

The broad scope of the vulnerability means hundreds of millions of PC users could be at risk, Microsoft said.

The company said in an advisory that it had determined that the Secure Channel (Schannel) feature in Windows can be attacked using the FREAK (“Factoring RSA-EXPORT Keys”) technique, which forces a system to use a weaker, and breakable, form of encryption.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in the advisory, adding it was not aware that any attacks had actively exploited the issue.

Microsoft said the flaw could facilitate a man-in-the-middle attack in which “an attacker could downgrade an encrypted SSL/TLS session and force client systems to use a weaker RSA export cipher. The attacker could then intercept and decrypt this traffic.”

No patch is yet available, as the company is still investigating the flaw. Instead, Microsoft advised users to disable the RSA export ciphers in their systems.

Weak encryption

The vulnerability is a relic of the 1990s, when US laws forbade the export of strong encryption. As a result, systems included a weaker RSA export cipher, and it is still present in many systems, although the export ban was lifted in 1999.

Security experts have said the flaw would be relatively difficult to exploit, since it involves targeting vulnerable systems and using hours of computing time to break the cipher.

Apple and Google have both said they have developed patches which will be distributed to mobile device makers and Mac users.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

6 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

7 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

23 hours ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago