The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.
FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.
The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.
When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.
The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.
In its advisory, Microsoft said:
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:
- Internet Explorer
- Chrome on OS X (patch available)
- Chrome on Android
- Safari on OS X (patch expected next week)
- Safari on iOS (patch expected next week)
- Stock Android browser
- BlackBerry browser
- Opera on OS X
- Opera on Linux
As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.
Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…