Redmond folks confirm Windows is susceptible to FREAK

Hundreds of millions of users could be at risk from the FREAK bug, says Microsoft in a security advisory

Microsoft had confirmed that all supported versions of Windows are vulnerable to the FREAK security flaw, meaning that hundreds of millions of users could be affected.

The flaw, which could potentially facilitate man-on-the-middle attacks, was initially only thought to impact Blackberry, Android and Safari, but Microsoft has now confirmed that its operating system is also at risk.

The FREAK (Factoring attack on RSA-Export Keys) vulnerability could be exploited by hackers, forcing browsers to use legacy forms of encryption which can be deciphered.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in the advisory, adding that there had been no reports of the flaw being exploited.

Apple, Google and Microsoft have said that patches are on the way; in the meantime, Microsoft has recommended that admins disable RSA key exchange ciphers.

A working group established to monitor the FREAK flaw estimates that 9.5% of the world’s most popular websites could be vulnerable to attack. The group has listed all of the sites in the Alexa top 1 million that permit RSA_EXPORT cipher suites and so may be susceptible. The site also provides an instant check of a user's browser.


Read more on Threat Management Solutions and Services