Microsoft has confirmed that all currently supported versions of Windows are vulnerable to the serious HTTPS FREAK...
The Factoring Attack on RSA-EXPORT Keys, more commonly known as the FREAK attack, is a man-in-the-middle attack caused by a legacy U.S. international trade policy that required weaker encryption for products exported overseas. The policy was discontinued more than 15 years ago, but approximately 33% of encrypted websites (12% of all websites) are believed to still be vulnerable.
Microsoft said in its advisory that the vulnerability could allow an attacker to downgrade an encrypted SSL/TLS session, force client systems to use a weaker RSA export cipher, then intercept and decrypt this traffic.
The issue was thought to only affect Android, iOS and Mac OS platforms, but Microsoft confirmed that the vulnerability (CVE-2015-1637) affects Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, Windows Server 2012 and Windows RT.
However, Microsoft noted that Windows servers are not vulnerable in the default configuration; they can only be exploited by FREAK if export ciphers are enabled.
Microsoft did not confirm when a FREAK patch would be released. The advisory noted that a patch could come in its monthly Patch Tuesday release, which is slated for Tuesday, March 10, or as part of an out-of-cycle update.
In the meantime, Microsoft has described a workaround to help mitigate the vulnerability, which requires disabling RSA key-exchange ciphers in the Windows registry.
Learn about the recent Microsoft Schannel security patch for vulnerable TLS connections.