The FREAK flaw that first surfaced early this week was initially only thought to affect software that relied on OpenSSL or Apple’s Secure Transport (think Android, iOS and OS X). Microsoft has since released a security advisory indicating its Windows operating system is also vulnerable.
The Redmond-based company noted that it is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. An investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suite used during an SSL / TLS connection.
As outlined earlier this week, the FREAK flaw allows an attacker to request what’s called an export cipher. This 512-bit encryption key is very weak by today’s standards and can be cracked in roughly half a day for around $100 using Amazon Web services.
Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. A server needs to support RSA key exchange export ciphers for an attack to be successful.
Recommendation: Please see the Suggested Actions for workarounds to disable the RSA export ciphers. Microsoft recommends that customers use these workarounds to mitigate this vulnerability.
Microsoft said it was working with partners in its Microsoft Active Protections Program to provide more information on how to better protect customers. Once that is complete, they will move forward with a fix – one that’ll likely consist of a patch through an out-of-cycle update.
Apple said earlier this week that it plans to issue a patch for FREAK sometime next week. Google also has a solution in the works which they’ve already issued to hardware partners.
You can check to see if your browser is vulnerable by visiting the freakattack.com website.