Microsoft has released an advisory relating to the FREAK vulnerability, which affects its Secure Channel and all supported releases of Microsoft Windows.
The company said that its investigation has verified that the FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems,” it said.
“When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.” For an attack to be successful, a server needs to support RSA key exchange export ciphers.
Windows users can expect either a security bulletin released on a regularly scheduled Patch Tuesday update, or an out-of-band patch.
FREAK uses an encryption protocol from the early 1990s to intercept vulnerable clients and servers, and force them to use ‘export-grade’ cryptography, which can then be decrypted.
Simon Crosby, CTO and co-founder at endpoint security firm, Bromium, said: “The older your infrastructure, the more likely latent vulnerabilities will surface – as they have in this case. Attackers will exploit any opportunity – and the legacy base is full of holes, so CIOs need to continually upgrade and patch where they can. And that’s only the start. Architectures such as micro-virtualisation actually stop cyber attacks – even when vulnerabilities remain.”
