Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft confirms FREAK vulnerability affects Windows as well
2 min. read
Published onMarch 6, 2015
published onMarch 6, 2015
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
For some, their high horse ride has come to an end. Windows users who were standing on their soap boxes and pointing fingers at Android, Mac OS and iOS users who were subjects of an SSL/TLS vulnerability, will now join them to some degree.
Microsoft confirmed today, the FREAK Attack vulnerability that exists in Secure Channel (Schannel), affects all versions of Windows. The Schannel is a security package that implements the SSL/TLS authentication protocols. The authentication process can now be used as an exploit that allows would-be attackers the ability to downgrade an encrypted SSL/TLS session while forcing client systems to use a weaker and export-grade RSA cipher in the process.
Essentially this is a man-in-the-middle (MITM) exploit that allows attackers the ability to intercept and decrypt encrypted traffic. Bad stuff.
This FREAK Attack is garnering a lot of attention as it isreportedto have affected more than a third of HTTPS servers with browser-trusted certificates. Most of the top used browsers have been or are affected including, Internet Explorer, Chrome on OSX, Android, Safari, iOS, stock AOSP Android browser, BlackBerry browser, Opera on OSX, and Linux.
Google has already issued a patch for Chrome on OSX and Apple will be following suit with a patch for Safari sometime next week.
While Microsoft says that they have found no evidence that this exploit has been in use for Windows users, they will be making an effort (possibly applying an off-scheduled update) to address this attack.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
There are precautions Windows users can take while they wait for Microsoft to patch this vulnerability. Microsoft is advising that Windows users disable RSA key exchange using Group Policy Object Editor, which has been an available option in Windows since Vista. This stop-gap disables the attacker’s ability to launch the FREAK attack as it is reliant on server support of export-grade cipher suites.
Kareem Anderson
Networking & Security Specialist
Kareem is a journalist from the bay area, now living in Florida. His passion for technology and content creation drives are unmatched, driving him to create well-researched articles and incredible YouTube videos.
He is always on the lookout for everything new about Microsoft, focusing on making easy-to-understand content and breaking down complex topics related to networking, Azure, cloud computing, and security.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Kareem Anderson
Networking & Security Specialist
He is a journalist from the bay area, now living in Florida. He breaks down complex topics related to networking, Azure, cloud computing, and security
