Windows vulnerable to Freak attacks, says Microsoft

Microsoft has revealed that all supported versions of its Windows operating system are vulnerable to attacks exploiting the so-called Freak security vulnerability.

The vulnerability, introduced by old US export policies requiring weaker encryption, enables attackers to conduct man-in-the-middle attacks on connections between vulnerable devices and websites.

Researchers discovered that the decade-old vulnerability can be exploited to conduct man-in-the-middle attacks on secure sockets layer (SSL) and transport layer security (TLS) connections.

They found that once intercepted, the connnections can be forced to use ‘export-grade’ cryptography, even if the weak algorithms are disabled by default.

Initially, only browsers in Android and iOS devices appeared to be vulnerable, but Microsoft said in a security advisory that it is aware of a security feature bypass vulnerability in its Secure Channel (Schannel) security component that implements the SSL and TLS protocols.

“The vulnerability facilitates exploitation of the publicly disclosed Freak technique, which is an industry-wide issue that is not specific to Windows operating systems,” the security advisory said.

However, Microsoft said Windows servers are not affected if the RSA export cipher at the heart of the Freak vulnerability is disabled.

More @ ComputerWeekly