Windows PCs At Risk From FREAK Encryption Flaw

All supported releases of Microsoft Windows are affected by the FREAK security flaw, as well as iOS and Android mobile devices, according to Microsoft.

The flaw was initially thought to just impact some users of Android and Blackberry phones, and Apple’s Safari web browser.

The broad scope of the vulnerability means hundreds of millions of PC users could be at risk, Microsoft said.

The company said in an advisory that it had determined that the Secure Channel (Schannel) feature in Windows can be attacked using the FREAK (“Factoring RSA-EXPORT Keys”) technique, which forces a system to use a weaker, and breakable, form of encryption.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in the advisory, adding it was not aware that any attacks had actively exploited the issue.

Microsoft said the flaw could facilitate a man-in-the-middle attack in which “an attacker could downgrade an encrypted SSL/TLS session and force client systems to use a weaker RSA export cipher. The attacker could then intercept and decrypt this traffic.”

No patch is yet available, as the company is still investigating the flaw. Instead, Microsoft advised users to disable the RSA export ciphers in their systems.

Weak encryption

The vulnerability is a relic of the 1990s, when US laws forbade the export of strong encryption. As a result, systems included a weaker RSA export cipher, and it is still present in many systems, although the export ban was lifted in 1999.

Security experts have said the flaw would be relatively difficult to exploit, since it involves targeting vulnerable systems and using hours of computing time to break the cipher.

Apple and Google have both said they have developed patches which will be distributed to mobile device makers and Mac users.

Are you a security pro? Try our quiz!