When the FREAK vulnerability was brought to our attention earlier this week, Windows was not originally believed to be affected by it. Apple and Google took the heat, as the cryptographers who made the discovery named OpenSSL (which is used by Android, among others) and Apple TLS/SSL clients (like Safari) as being vulnerable to FREAK attacks (short for Factoring Attack on RSA-EXPORT Keys).
However, a new security advisory released by Microsoft yesterday paints a different picture. In reality, all supported versions of Windows, including Server products, are vulnerable to FREAK attacks. Microsoft isn't discussing non-supported versions of Windows -- like Windows XP -- for obvious reasons, but it is safe to say that they are also impacted.
The oldest-supported version of Windows that is affected is Windows Server 2003 Service Pack 2 (alongside its x64 Edition and version for Itanium-based Systems). Needless to say, Windows 8.x and Windows Server 2012 (including the R2 edition) are also on the list.
According to Microsoft the way that an attacker could leverage FREAK on Windows to wreak havoc is by downgrading the cipher suites used in SSL/TLS connections. Microsoft notes that this vulnerability "facilitates exploitation of the publicly disclosed FREAK technique", further adding that it "is an industry-wide issue that is not specific to Windows operating systems".
At the time of writing this article Chrome for OS X is the only browser for which a patch exists. Safari for iOS and OS X is expected to be patched next week. Mozilla's Firefox appears not to be vulnerable to FREAK attacks. Other affected browsers include Chrome for Android, the stock Android browser, BlackBerry OS browser, Opera for Linux and OS X. And, of course, Internet Explorer.
It should be said that Microsoft hasn't yet developed a patch. The software giant says that it is working with its partners in the Microsoft Active Protections Program to give its clients information on broader protections. If a patch is needed, Microsoft does not exclude the possibility of an out-of-cycle security update; that said, it could still be delivered on Patch Tuesday. The immediate Patch Tuesday is on March 10, while the next one is on April 14.
The FREAK vulnerability is linked to the US government's ban on exports of software featuring strong encryption in the early 1990s, where only 512-bit RSA keys were allowed for export. Of more than 14 million websites scanned for the FREAK, over 36 percent of them were found to be vulnerable.
Considering that Windows is used by the vast majority of PC users, patching this vulnerability should be a top priority for Microsoft. Luckily, Microsoft says that, to its knowledge, there had been no FREAK attacks carried out prior to releasing that security advisory.
Photo credit: Olivier Le Moal / Shutterstock