FREAKing hell: ALL Windows versions vulnerable to SSL snoop
Relax! We've got a (server-knackering) workaround to sort things out, says Microsoft
Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack.
This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to deploy weak encryption over the web.
Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Redmond says in an advisory.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The bug (CVE-2015-1637) in Windows' Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.
The FREAK (Factoring attack on RSA-EXPORT Keys) mess revealed this week allows bad guys to decrypt login cookies and other sensitive information from HTTPS connections to vulnerable browsers.
Redmond is pushing out details of defensive mechanisms through its Microsoft Active Protections Program. It offers imperfect workarounds including changing of the registry in Server 2003 to disable vulnerable key exchange ciphers which it warns could cause "serious problems".
So far Google Chrome for OS X prior to version 41.0.2272.76 and BlackBerry OS 10.3 are known to be vulnerable. Users can visit freakattack.com to determine their browser exposure.
Hundreds of cloud providers still have not moved against the vulnerability. Skyhigh Networks reported that 766 cloud services were still at risk a day after FREAK was made public, based on an analysis of more than 10,000 different services.
Most companies used 122 potentially vulnerable services, which pointed out that popular cloud services are disproportionately affected by slow patching against FREAK. ®