The encryption flaw was previously thought to only affect Google and Apple products

A few days back, Apple and Google products were found to be affected by a longstanding vulnerability, which stems from a now-defunct U.S. government regulation enjoining tech companies to use encryption no stronger than 512 bits in “export-grade” software — so that it could maintain a cryptographic edge over its adversaries. Well, how could Microsoft be left behind? The Redmond-based company issued a security advisory Thursday to warn that all supported versions of Microsoft Windows are also affected by FREAK (Factoring attack on RSA-EXPORT Keys), as the SSL/TLS flaw is called.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” reads the advisory. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
The company says it’s currently working on a fix, which could come either as part of a future Patch Tuesday bundle or in the form of an out-of-band security update. In the meantime, the company recommends that those running Windows Vista or later “disable RSA key exchange ciphers using the Group Policy Object Editor” in order to mitigate the threat. The entire procedure can be found here.
A list of vulnerable browsers and popular domains is available at FREAKattack.com. The affected browsers are Internet Explorer, Chrome for Mac (patch available), Chrome for Android, Safari for Mac (patch likely in a week), Safari for iOS (patch likely in a week), stock Android browser, Blackberry browser, Opera for Mac and Opera for Linux. Maintained by computer scientists at the University of Michigan, the site also lets users check if their browser is vulnerable.
“The FREAK attack,” the site warns, “is possible when a vulnerable browser connects to a susceptible web server—a server that accepts ‘export-grade” encryption.’” According to the researchers, an attacker could use the vulnerability to “intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”
Follow Pulkit on Google+
Image Credit: Ghacks



More...