According to a security advisory released by Microsoft, all the versions of Windows, including Windows 8.1 and even Server are vulnerable to FREAK. It, however, maintained that it is an industry wide issue and not limited to Microsoft’s Windows operating systems. Using the FREAK vulnerability, cyber criminals can break the SSL (Secure Socket Layers) and TLS (Transport Layer Security) encryption to initiate a man-in-the-middle attack. Though we consider the latest operating systems safe, the technical vulnerability affects all of Microsoft’s secure channel stack, thereby allowing hackers to initiate a man-in-the-middle attack even if users are using SSL or TLS.
In the advisory, Microsoft says that it is aware of the security feature bypass vulnerability in secure channels that are used in most Microsoft products. It further maintained that though Microsoft was one of the research members of the vulnerability, it is an industry wide issue that is not specific to Windows operating systems. Also, there have been no reports of the issue being exploited so far.
This vulnerability can allow a Man-in-the-Middle attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system to weaker individual ciphers that are disabled but part of a cipher suite that is enabled.
Since Microsoft says it has been part of the group studying the FREAK vulnerability, it is to be deduced that the company knew of it for long and chose not to disclose it until today. The reason why it suddenly came up the security advisory is unknown and it could be probably because they see some sort of fix in the near future.
Microsoft is actively working on the vulnerability using its own team members of Microsoft Active Protection Program. Once the investigation is complete, it will take proper steps to address the issue and to protect its users. The step could come as a normal Windows update or could be pushed as a patch whenever it is done.
The following operating systems are vulnerable due to FREAK: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and even Windows RT. Right now, before issuing a general update or patch, Microsoft suggests turning off RSA key exchanges ciphers using Group Policy Object Editor. Note that the cipher cannot be turned off on Servers. For others, the key cipher can be found under SSL Security Settings.Here is a list of cipher keys to alter to turn off the RSA in Windows Pro and above editions.
Microsoft Security Advisory 3046015 talks about this issue in detail. If you are a Windows user, visit this link to check your security status.
If you are a Firefox user, have a look at their recommended settings.
