Microsoft Admits FREAK Affects All Versions of Windows

Microsoft has admitted that all versions of Windows are vulnerable to the recently discovered FREAK flaw, exposing a huge number of additional machines to potential Man in the Middle attacks.

Redmond said in a security advisory that on completion of an investigation into the problem, it may provide a patch to sort the issue, “depending on customer needs.”

It explained the following:

“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”

The news comes as cloud security firm Skyhigh Networks released new data claiming that 24 hours after FREAK was made public there were still 766 cloud services at risk from the flaw – with the average company using 122 “potentially vulnerable” services.

“If the website or cloud service you are accessing is built around Apache, and many are, FREAK is a serious vulnerability. Until patches are made, it’s a case of pitting 90s technology against modern hackers – which is no contest,” argued Skyhigh Networks’ EMEA strategy director, Nigel Hawthorn.

"We recommend enterprises check the services that their users are accessing – both sanctioned cloud services and shadow cloud services. We’re talking about a sizable portion of the internet that’s vulnerable, and a very real threat.”

FREAK was said to affect around 36% of all sites trusted by browsers.

It allows an attacker to inject code between vulnerable clients and servers, forcing both sides to use weak 512-bit encryption, which can be cracked in a matter of hours – allowing for a MITM attack.

What’s Hot on Infosecurity Magazine?