lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft confirms Windows vulnerable to FREAK attack

The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.

Microsoft has confirmed that all currently supported versions of Windows are vulnerable to the serious HTTPS FREAK...

attack technique.

The Factoring Attack on RSA-EXPORT Keys, more commonly known as the FREAK attack, is a man-in-the-middle attack caused by a legacy U.S. international trade policy that required weaker encryption for products exported overseas. The policy was discontinued more than 15 years ago, but approximately 33% of encrypted websites (12% of all websites) are believed to still be vulnerable.

Microsoft said in its advisory that the vulnerability could allow an attacker to downgrade an encrypted SSL/TLS session, force client systems to use a weaker RSA export cipher, then intercept and decrypt this traffic.

The issue was thought to only affect Android, iOS and Mac OS platforms, but Microsoft confirmed that the vulnerability (CVE-2015-1637) affects Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, Windows Server 2012 and Windows RT.

However, Microsoft noted that Windows servers are not vulnerable in the default configuration; they can only be exploited by FREAK if export ciphers are enabled.

Microsoft did not confirm when a FREAK patch would be released. The advisory noted that a patch could come in its monthly Patch Tuesday release, which is slated for Tuesday, March 10, or as part of an out-of-cycle update.

In the meantime, Microsoft has described a workaround to help mitigate the vulnerability, which requires disabling RSA key-exchange ciphers in the Windows registry.

Next Steps

Learn about the recent Microsoft Schannel security patch for vulnerable TLS connections.

Dig Deeper on Microsoft Patch Tuesday and patch management