Microsoft has revealed that Windows is vulnerable to a critical Freak SSl Flaw.
Freak is a security bug that facilitates cybercriminals to conduct man-in-the-middle attacks on connections like Sockets Layer (SSL) and Transport Layer Security (TLS) that are encrypted by an outdated cipher.
And Freak has claimed another potential victim, this time the Microsoft Secure Channel Stack.
The company confirmed the vulnerability in an official statement:
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems.”
Though Microsoft’s Research team collaborated with European cryptographers in discovering FREAK, but the company chose not to disclose Windows’ flaw until yesterday.
“When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
Microsoft, reportedly, is “actively working” with its Microsoft Active Protections Program partners for protecting them and after thorough investigation the company would “take the appropriate action to help protect customers”.
According to Microsoft, “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Versions of Windows affected by Freak include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and Windows RT.
The company informed that users can deactivate the RSA key exchange ciphers, which paves the way for FREAK’s intervention by altering the SSL Cipher Suite in the Group Policy Object Editor. However, this cannot be achieved by users of Windows Server 2003 because it doesn’t allow enabling or disabling of individual ciphers.
“Windows servers are not impacted in the default configuration (export ciphers disabled),” says Microsoft.
The browsers affected by Freak include Internet Explorer, Chrome on Android, the stock Android browser, Safari on Mac OS X and iOS, BlackBerry browser, and Opera on Mac OS X and Linux.