A week ago it came to light that Microsoft operating systems above Windows XP were vulnerable to FREAK. This was a bug that helped hackers in exploiting Secure Socket Layer (SSL) and Transport Layer Security (TLS) to initiate a man-in-the-middle attack.
(Image Credit: HackerNews)
The FREAK vulnerability was lying for long dormant in almost all operating systems of Microsoft as well as that of Apple. It is mainly used to intercept the so-called secure connections between browsers and websites and the encryption was so weak that anyone with little knowledge of hacking could use a man-in-the-middle-attack.
A man-in-the-middle attack is someone intercepting the pattern of packets originating from a network or computer and hijacking the communication between browser and website to which the browser is connected. Then hijacker can then direct the browser to malicious websites or inject a script to the browser that it may run because it has established the credentials of the original website and hence trusts the duplicate website as well if the scripts appear to be coming in from the websites. Read more about man-in-the-middle attacks.
A week ago, Microsoft issued a security advisory saying it knew about the FREAK vulnerability and that it was susceptible to the vulnerability on all its working operating systems, that is, to include Windows 8.1 also. It said it was an industry-wide issue and not limited to Microsoft. It also stated that its experts are working on fixing the FREAK vulnerability on Windows operating systems. While some browsers such as Firefox had issued a set of commands to prevent the vulnerability from exploited, Microsoft too advised turning off RSA keys.
In its Patch Tuesday yesterday, Microsoft addressed the issue and pushed an update to fix the FREAK vulnerability. The patches effect both Internet Explorer and Microsoft Office because the latter too uses encrypted connection to connect with OneDrive and other storage systems.
