Microsoft Confirms Windows Vulnerable to Freak Flaw

Microsoft on Thursday confirmed that Windows is indeed vulnerable to the dreaded FREAK attacks that were reported earlier this week. Microsoft said it was aware of a security feature bypass vulnerability in Secure Channel, or Schannel, that affects all supported versions of Microsoft Windows.

Information security firm IANS has determined the FREAK flaw, which stands for Factoring RSA-Export Keys, can likely be traced back to the U.S. government restrictions from the 1990s that made it illegal to export highly encrypted products overseas.

According to FreakAttack.com, a site dedicated to tracking the impact of the attack and helping users test whether they're vulnerable, the FREAK attack is possible when a vulnerable browser connects to a susceptible Web server -- a server that accepts "export-grade" encryption.

How Far Does this Spread?

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft reported in a security advisory.

"The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."

Public disclosure of the FREAK vulnerability first occurred March 3, when researchers announced they had discovered the SSL/TLS vulnerability. According to FreakAttack.com, it allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption. That sets the stage for the attacker to steal or manipulate sensitive data.

Until Microsoft's announcement Thursday, it was believed the vulnerability only affected the Android and Apple's Safari Web browsers, which rely on OpenSSL to establish secure connections.

Thousands of Web sites are believed affected. FreakAttack.com lists some. A...