Microsoft Advisory says all its operating systems vulnerable to FREAK

According to a security advisory released by Microsoft, all the versions of Windows, including Windows 8.1 and even Server are vulnerable to FREAK. It, however, maintained that it is an industry wide issue and not limited to Microsoft’s Windows operating systems. Using the FREAK vulnerability, cyber criminals can break the SSL (Secure Socket Layers) and TLS (Transport Layer Security) encryption to initiate a man-in-the-middle attack. Though we consider the latest operating systems safe, the technical vulnerability affects all of Microsoft’s secure channel stack, thereby allowing hackers to initiate a man-in-the-middle attack even if users are using SSL or TLS.

SSL/TLS vulnerability

In the advisory, Microsoft says that it is aware of the security feature bypass vulnerability in secure channels that are used in most Microsoft products. It further maintained that though Microsoft was one of the research members of the vulnerability, it is an industry wide issue that is not specific to Windows operating systems. Also, there have been no reports of the issue being exploited so far.

This vulnerability can allow a Man-in-the-Middle attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system to weaker individual ciphers that are disabled but part of a cipher suite that is enabled.

Since Microsoft says it has been part of the group studying the FREAK vulnerability, it is to be deduced that the company knew of it for long and chose not to disclose it until today. The reason why it suddenly came up the security advisory is unknown and it could be probably because they see some sort of fix in the near future.

Microsoft is actively working on the vulnerability using its own team members of Microsoft Active Protection Program. Once the investigation is complete, it will take proper steps to address the issue and to protect its users. The step could come as a normal Windows update or could be pushed as a patch whenever it is done.

The following operating systems are vulnerable due to FREAK: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and even Windows RT. Right now, before issuing a general update or patch, Microsoft suggests turning off RSA key exchanges ciphers using Group Policy Object Editor. Note that the cipher cannot be turned off on Servers. For others, the key cipher can be found under SSL Security Settings.Here is a list of cipher keys to alter to turn off the RSA in Windows Pro and above editions.

Microsoft Security Advisory 3046015 talks about this issue in detail. If you are a Windows user, visit this link to check your security status.

If you are a Firefox user, have a look at their recommended settings.

Posted by with Tags
Anand Khanse is the Admin of TheWindowsClub.com and a 10-year Microsoft MVP Awardee in Windows for the period 2006-16. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.

3 Comments

  1. Dan

    For those without group policy editors, I have tried both of the following on Windows 7 Home Premium 64 bit, successfully. At Ghacks a few days ago its forum member Al McCann posted for pro bono to anyone (member or not) an instruction and set of registry edits specifically for non-gpe Windows versions, which allows manual edits and gives non-gpe OS the same cipher key revision as in your feature; I would post the actual items here, but foibles of text wrapping re Disqus make it too disjointed to use; his instructions and edits worked.

    Also, at the German language site “Deskmodder.de” for date March 06, 2015, site operator posted a clean and accurate free “freak zip” file, based on McCann’s, which once downloaded imports easily into registry. Again, both of these features got my IE 11 for Windows 7 going from “fail” to “pass”, just like Firefox does without edits.

    Of course, I backed up and replaced and tested again to ensure “fail” between tests of the two methods described above. This comment is intended for those who know their way around registry editing; should any other type of user wish to try, do first at least make a backup copy of your registry or make a restore point before attempting. It may indeed generally be better to await an IE patch, as no matter how you get IE protected against FREAK, you get the same losses of some sites’ facilities just like in FF/Chrome; many sites “require” IE just because they have weak SSL/TLS and if you harden IE like FF/Chrome, to some sites it will be as “useless” on some pages as other browsers. Cheers!

  2. Dan

    My earlier comment here is now moot; for the March 10, 2015 Patch Tuesday, MS said it was patching FREAK attack vulnerability in IE; after installing yesterday’s cumulative security update for IE 11 on Windows 7, using IE11 I tried the test link in your article, and IE11 now passes with the “good news!” result of no vulnerability. However, even so, then completely separately testing routine things again at “Browserscope”, the newly patched IE 11 still fails tests for strict transport and content security…so don’t completely give up on Chrome, FF, similar. Also, I apologize for any posts that may appear to be backlinking; that’s not my intent; Disqus these days seems to automatically convert even obfuscated site or posted data into blue links, first after I post; I don’t see any way as a user over at Disqus to avoid the system doing that, and if anyone knows I’d be grateful to know how to keep Disqus from auto-wrapping my text. Cheers!

  3. This would not cause the Blue screen would it? its been 9 months since I had one then out of the blue it happened again and I have not added anything since the last time in harware or software

Leave a Reply

Your email address will not be published. Required fields are marked *