Friday, 6 March 2015
Microsoft: All Windows versions Vulnerable to FREAK Vulnerability
Recently discovered “FREAK” vulnerability that apparently went undetected for more than a decade is reportedly affecting all supported versions of Microsoft Windows, making the flaw more creepy than what we thought.
FREAK vulnerability is a disastrous SSL/TLS flaw disclosed Monday that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then supposedly conduct Man-in-the-Middle attacks on encrypted HTTPS-protected traffic passing between vulnerable end-users and Millions of websites.
FREAK IN MICROSOFT RESIDES IN SECURE CHANNEL
Microsoft issued an advisory published Thursday warning Windows users that Secure Channel (Schannel) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack, though it said it has not received any reports of public attacks.
When the security glitch first discovered on Monday, it was believed that the Windows system was immune to FREAK attacks. But now if you’re the one using Windows, attackers on your network could force the software using Schannel component such as Internet Explorer to use weak encryption over the web.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” the company said in a security advisory. “The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems.”
FREAK ENCRYPTION-DOWNGRADE ATTACK
FREAK — short for Factoring attack on RSA-EXPORT Keys — made it significantly easier for hackers and cyber criminals to easily decode intercepted HTTPS connections, revealing sensitive information such as login passwords, login cookies, and even banking information.
However, this is only possible if the website or service at the other end is still supporting 1990s-era “export-grade” cryptography or 512-bit RSA, which were approved by the U.S. government for overseas export. It was assumed that most servers no longer supported weak 512-bit RSA keys, but unfortunately, Millions of websites and services are still available on the Internet using them.
AFFECTED WINDOWS VERSIONS
The FREAK vulnerability (CVE-2015-1637) in Windows Secure Channel component dramatically increases the number of users previously known to be vulnerable. Affected versions of Windows include:
Windows Server 2003
Windows Server 2008
Windows 8 and 8.1
Windows Server 2012
MICROSOFT WORKING ON PATCH
Microsoft said it is “actively working” with its Microsoft Active Protections Program partners to protect its users from FREAK, and once the investigation get over, it would “take the appropriate action to help protect customers.”
So, Windows users can either expect an out-of-band patch or a security bulletin released on a regular Patch Tuesday.
MORE THAN 36% WEBSITES VULNERABLE
In recent weeks, security researchers scanned more than 14 million websites that support the SSL/TLS protocols and found that more than 36 percent of them were vulnerable to the decryption attacks that support RSA export cipher suites.
Yesterday, Google developers released an updated version of Chrome for Mac that can’t be forced by attackers to use the older, weaker 512-bit RSA cipher, effectively patching the FREAK vulnerability. Additionally, Safari on Mac OS and iOS aren’t vulnerable to the creepy bug.
At the time of writing, the list of affected web browsers included Internet Explorer, Chrome on Android, the stock Android browser, BlackBerry browser, Opera on Mac OS X and Opera on Linux. Users can visit freakattack.com to determine their browser exposure.