Windows PCs At Risk From FREAK Encryption Flaw

All supported releases of Microsoft Windows are affected by the FREAK security flaw, as well as iOS and Android mobile devices, according to Microsoft.

The flaw was initially thought to just impact some users of Android and Blackberry phones, and Apple’s Safari web browser.

The broad scope of the vulnerability means hundreds of millions of PC users could be at risk, Microsoft said.

The company said in an advisory that it had determined that the Secure Channel (Schannel) feature in Windows can be attacked using the FREAK (“Factoring RSA-EXPORT Keys”) technique, which forces a system to use a weaker, and breakable, form of encryption.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in the advisory, adding it was not aware that any attacks had actively exploited the issue.

Microsoft said the flaw could facilitate a man-in-the-middle attack in which “an attacker could downgrade an encrypted SSL/TLS session and force client systems to use a weaker RSA export cipher. The attacker could then intercept and decrypt this traffic.”

No patch is yet available, as the company is still investigating the flaw. Instead, Microsoft advised users to disable the RSA export ciphers in their systems.

Weak encryption

The vulnerability is a relic of the 1990s, when US laws forbade the export of strong encryption. As a result, systems included a weaker RSA export cipher, and it is still present in many systems, although the export ban was lifted in 1999.

Security experts have said the flaw would be relatively difficult to exploit, since it involves targeting vulnerable systems and using hours of computing time to break the cipher.

Apple and Google have both said they have developed patches which will be distributed to mobile device makers and Mac users.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago