Less than a week after acknowledging Windows was also vulnerable to a decade-old encryption flaw, Microsoft has issued a fix as part of its monthly Patch Tuesday. The vulnerability in question is known as FREAK (Factoring RSA Export Keys), and it works by forcing systems to downgrade the key length of an RSA key to 512 bits, which is easier to crack and provides a way for an attacker to intercept SSL traffic as it moves between clients and servers.
The flaw surfaced a few weeks ago but researchers said there is no evidence of exploits in the wild. Interestingly, they blame a former US policy for its very existence, as prior to 1990 US companies were banned from exporting products with the strongest encryption standards available at the time. Instead, they were loaded with weaker “export-grade” encryption with a maximum key length of 512 bits which, at the time, was deemed strong enough for commercial use but still weak enough for the government to circumvent.
Initially, it was believed that FREAK was confined to certain SSL clients, mainly associated with Apple's Safari and Android's stock browsers. But Microsoft released an advisory on March 5 warning about the exposure. Apple and Google (and Cisco) have since issued their own patches too.
Yesterday’s Patch Tuesday contained 14 bulletins in total. Five of them are rated critical, including bugs related to the Windows VBScript scripting engine, remote code execution vulnerabilities in Office, remote code execution bugs in the Adobe Font Driver. The highest profile bulletin, however, addresses some issues left behind by the original Stuxnet patch released in 2010.