In our previous blog post, we promised to keep you informed if FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability affects Windows applications. As of today, it is confirmed that FREAK is affecting all supported versions of Microsoft Windows, making the flaw more dangerous than anticipated.
To give you a brief background, FREAK vulnerability is a SSL/TLS flaw that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then conducts Man-in-the-Middle (MitM) attack on encrypted HTTPS-protected traffic passing between vulnerable end-users and millions of websites.
FREAK in Windows Secure Channel:
Microsoft issued an advisory, warning Windows users that Secure Channel (Schannel) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack, though it said it has not received any reports of public attacks. You can read the entire advisory here.
Affected Windows Versions:
The FREAK vulnerability (CVE-2015-1637) in Windows Secure Channel drastically increases the number of users previously known to be vulnerable. Affected versions of Windows include:
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows 8 and 8.1
• Windows Server 2012
• Windows RT
Microsoft Working on a Patch:
Microsoft said it is “actively working” with its Microsoft Active Protections Program partners to protect its users from FREAK, and once the investigation get over, it would “take the appropriate action to help protect customers.” Windows users can either expect a patch or a security bulletin released on a regular Patch Tuesday.
Till then, we strongly urge readers to use this online tool to check their browser exposure.