Windows PCs are also vulnerable to"FREAK" flaw

[Shawn Knight]

The FREAK flaw that first surfaced early this week was initially only thought to affect software that relied on OpenSSL or Apple’s Secure Transport (think Android, iOS and OS X). Microsoft has since released a security advisory indicating its Windows operating system is also vulnerable.

The Redmond-based company noted that it is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. An investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suite used during an SSL / TLS connection.

As outlined earlier this week, the FREAK flaw allows an attacker to request what’s called an export cipher. This 512-bit encryption key is very weak by today’s standards and can be cracked in roughly half a day for around $100 using Amazon Web services.

Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. A server needs to support RSA key exchange export ciphers for an attack to be successful.

Recommendation: Please see the Suggested Actions for workarounds to disable the RSA export ciphers. Microsoft recommends that customers use these workarounds to mitigate this vulnerability.

Microsoft said it was working with partners in its Microsoft Active Protections Program to provide more information on how to better protect customers. Once that is complete, they will move forward with a fix – one that’ll likely consist of a patch through an out-of-cycle update.

Apple said earlier this week that it plans to issue a patch for FREAK sometime next week. Google also has a solution in the works which they’ve already issued to hardware partners.

You can check to see if your browser is vulnerable by visiting the freakattack.com website.

Permalink to story.

https://www.techspot.com/news/59979-windows-pcs-also-vulnerable-tofreak-flaw.html

 

[VitalyT]

The only "FREAK" flaw that Windows users are vulnerable to is called Linux

 

[DelJo63]

Interesting.

• Opera 10.63 is immune
• Google Chrome 40.0.2214 is EXPOSED
• Firefox 36.0.1 is EXPOSED

 

[war59312]

You do know that Chrome 41 is the stable build, which is immune to this.

 

[Skidmarksdeluxe]

The only "FREAK" flaw that Windows users are vulnerable to is called Linux

The only two "FREAK" flaws that Windows users are vulnerable to are called Linux & OS X
It was a slight oversight on your behalf but not to worry, I fixed it for you.

 

[tipstir]

Got Chrome 42 64-DEV loaded. Still suffers from lag still under Facebook. Pale moon 64-bit better.

 

[fyrfaktry]

Got Chrome 42 64-DEV loaded. Still suffers from lag still under Facebook. Pale moon 64-bit better.

All 64-bit browsers suck.

 

[DelJo63]

The only two "FREAK" flaws that Windows users are vulnerable to are called Linux & OS X
It was a slight oversight on your behalf but not to worry, I fixed it for you.

grrr; Rather childish imo. Would appear that these comments are from those FREAKED out, after all, the issue one of browser cryptography, not the platform(s). Apologies to everyone else.

 

[Skidmarksdeluxe]

grrr; Rather childish imo. Would appear that these comments are from those FREAKED out, after all, the issue one of browser cryptography, not the platform(s). Apologies to everyone else.

Sorry, I couldn't resist it. VitaliT is an Apple freak and I was yanking his chain.