Microsoft releases patches for FREAK vulnerability and Stuxnet worm

By Jos ยท 8 replies
Mar 11, 2015
Post New Reply
  1. Less than a week after acknowledging Windows was also vulnerable to a decade-old encryption flaw, Microsoft has issued a fix as part of its monthly Patch Tuesday. The vulnerability in question is known as FREAK (Factoring RSA Export Keys), and it works by forcing systems to downgrade the key length of an RSA key to 512 bits, which is easier to crack and provides a way for an attacker to intercept SSL traffic as it moves between clients and servers.

    The flaw surfaced a few weeks ago but researchers said there is no evidence of exploits in the wild. Interestingly, they blame a former US policy for its very existence, as prior to 1990 US companies were banned from exporting products with the strongest encryption standards available at the time. Instead, they were loaded with weaker “export-grade” encryption with a maximum key length of 512 bits which, at the time, was deemed strong enough for commercial use but still weak enough for the government to circumvent.

    Initially, it was believed that FREAK was confined to certain SSL clients, mainly associated with Apple's Safari and Android's stock browsers. But Microsoft released an advisory on March 5 warning about the exposure. Apple and Google (and Cisco) have since issued their own patches too.

    Yesterday’s Patch Tuesday contained 14 bulletins in total. Five of them are rated critical, including bugs related to the Windows VBScript scripting engine, remote code execution vulnerabilities in Office, remote code execution bugs in the Adobe Font Driver. The highest profile bulletin, however, addresses some issues left behind by the original Stuxnet patch released in 2010.

    Permalink to story.

  2. hahahanoobs

    hahahanoobs TS Evangelist Posts: 2,045   +680

    Holy [expletive]!! 15 Critical AND 17 optional updates resolving issues. Downloading...
    Elent Archer likes this.
  3. noel24

    noel24 TS Evangelist Posts: 357   +203

    DON'T DOWNLOAD THOSE. Several people from family and friends call me today and say after the regular reboot from MS updates their computers are unresponsive or their Panda security reports Panda files as viruses. Had no time to go investigate, but lost some time explaining system restore over the phone. Crazy. I expect to read about this tommorow morning. Personally, I never install MS updates at least for a week from release.
  4. tonylukac

    tonylukac TS Evangelist Posts: 1,374   +69

    Microsoft is helping iranians.
  5. This patch tuesday sucked for me. it was all security updates with no actual performance updates for the OS. what a crappy patch tuesday
  6. hahahanoobs

    hahahanoobs TS Evangelist Posts: 2,045   +680

    Working fine here. I used to run Panda, but had problems and replaced it with Malwarebytes Premium.
  7. noel24

    noel24 TS Evangelist Posts: 357   +203

    Well, It looks like it was Panda after all, just coinciding with MS Update.
  8. TheLastPanda

    TheLastPanda TS Member Posts: 78   +10

    Which is why there will be thousands of people reading the patch notes, writing exploit code, and scanning for systems that haven't gotten the update yet. But it's okay I'm sure they use the word "critical" because it can wait a week.
  9. learninmypc

    learninmypc TS Evangelist Posts: 7,673   +413

    All I read about Patch Tuesday was this from Kim Komando

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...