News Stay informed about the latest enterprise technology news and product updates.

Microsoft confirms Windows vulnerable to FREAK attack

The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.

Microsoft has confirmed that all currently supported versions of Windows are vulnerable to the serious HTTPS FREAK...

attack technique.

The Factoring Attack on RSA-EXPORT Keys, more commonly known as the FREAK attack, is a man-in-the-middle attack caused by a legacy U.S. international trade policy that required weaker encryption for products exported overseas. The policy was discontinued more than 15 years ago, but approximately 33% of encrypted websites (12% of all websites) are believed to still be vulnerable.

Microsoft said in its advisory that the vulnerability could allow an attacker to downgrade an encrypted SSL/TLS session, force client systems to use a weaker RSA export cipher, then intercept and decrypt this traffic.

The issue was thought to only affect Android, iOS and Mac OS platforms, but Microsoft confirmed that the vulnerability (CVE-2015-1637) affects Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, Windows Server 2012 and Windows RT.

However, Microsoft noted that Windows servers are not vulnerable in the default configuration; they can only be exploited by FREAK if export ciphers are enabled.

Microsoft did not confirm when a FREAK patch would be released. The advisory noted that a patch could come in its monthly Patch Tuesday release, which is slated for Tuesday, March 10, or as part of an out-of-cycle update.

In the meantime, Microsoft has described a workaround to help mitigate the vulnerability, which requires disabling RSA key-exchange ciphers in the Windows registry.

Next Steps

Learn about the recent Microsoft Schannel security patch for vulnerable TLS connections.

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is your organization concerned about the SSL FREAK vulnerability?
Yes. The now feared (FREAK) has been confirmed to also affect all versions of Windows. FREAK was created back in 1990 when the U.S. government banned use of strong encryption on products being export to outside the U.S. This has now resulted into attacks on websites which are thought to be secure but aren’t as they are secured by a weak encryption. However, I expect patches to be released soon to deal with this problem.
I don't think the IT staff in the organization where I'm working on, is concerned about the FREAK vulnerability; as a matter of fact, I don't think they're concerned about SSL/TSL at all or what a PKI (Public Key Infrastructure) is. Almost any data sended to their servers are insecurely transmitted.
Scary! I know first handedly that hacking and viruses are horrible to experience. It can potentially ruin your entire life, depending on what gets hacked and the severity of it. Great post, though, very informative.
Well, this actually isn't a surprise.   You don't really know how much industry has been set back by policies like this, and how much the greater good would be if such stumbling blocks didn't exist.  But they do, the question is, how do we prevent these sorts of things from happening in the future?  Hindsight always seems to be 20/20.
That is part of the problem with old legacy program and policies. Those that do not change with the times leave themselves open to exploits that most others assume nobody was looking at and they felt safe. 
There is a patch available for this issue, it was issued back in March. We've implemented it in our systems, and it mostly worked fine.