Microsoft FREAK!

Microsoft FREAK!

James King James King

James King

Published Mar 18, 2015
+ Follow

Action Required:

If you run a server …

You should immediately disable support for TLS export cipher suites. While you’re at it, you should also disable other cipher suites that are known to be insecure and enable forward secrecy. For instructions on how to secure popular HTTPS server software, we recommend Mozilla’s security configuration guide and their SSL configuration generator. We also recommend testing your configuration with the Qualys SSL Labs SSL Server Test tool.

If you use a browser …

Make sure you have the most recent version of your browser installed, and check for updates frequently. Updates that fix the FREAK attack should be available for all major browsers soon.

If you’re a sysadmin or developer …

Make sure any TLS libraries you use are up to date. Unpatched OpenSSL, Microsoft Schannel, and Apple SecureTransport all suffer from the vulnerability. Note that these libraries are used internally by many other programs, such as wget and curl. You also need to ensure that your software does not offer export cipher suites, even as a last resort, since they can be exploited even if the TLS library is patched. We have provided tools for software developers that may be helpful for testing.

---

Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack.

This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to deploy weak encryption over the web.

Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).

"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Redmond says in an advisory.

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.

"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."

The bug (CVE-2015-1637) in Windows' Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.

The FREAK (Factoring attack on RSA-EXPORT Keys) mess revealed this week allows bad guys to decrypt login cookies and other sensitive information from HTTPS connections to vulnerable browsers.

Redmond is pushing out details of defensive mechanisms through its Microsoft Active Protections Program. It offers imperfect workarounds including changing of the registry in Server 2003 to disable vulnerable key exchange ciphers which it warns could cause "serious problems".

So far Google Chrome for OS X prior to version 41.0.2272.76 and BlackBerry OS 10.3 are known to be vulnerable. Users can visit freakattack.com to determine their browser exposure.

Most companies used 122 potentially vulnerable services, which pointed out that popular cloud services are disproportionately affected by slow patching against FREAK.

To view or add a comment, sign in

More articles by James King

  • Disconnect!
    Jul 19, 2018

    Disconnect!

    Ensure that when you work hard, you play hard. Somewhere in between, disconnect and get that much needed downtime.

    3 Comments
  • Compliance Engine beta-launch
    Oct 16, 2015

    Compliance Engine beta-launch

    Multi-project, multi-jurisdiction white-label crowdfunding platform!

    2 Comments
  • The Dangers of online password vaults
    Jun 17, 2015

    The Dangers of online password vaults

    I've been warning for years that if you're going to use an APP or service to manage your accounts or passwords, you…

    10 Comments
  • DDos Attacks
    May 4, 2015

    DDos Attacks

    Distributed Denial of Service (DDoS)1 attacks against the Web sites of State, Local, Territorial, and Tribal…

    2 Comments
  • USB Devices!
    Apr 21, 2015

    USB Devices!

    I've been stating and teaching this for years. Why do organizations continue to allow USB / data access on their…

  • Patch it now! (MS HTTP bug)
    Apr 16, 2015

    Patch it now! (MS HTTP bug)

    1 This isn't an IIS bug, so it doesn't apply only to IIS servers. As far as we can see, the bug affects pretty much any…

    2 Comments
  • I love Utah!
    Jan 11, 2015

    I love Utah!

    So often I am asked: "Why do you live and stay in Utah"? My answer is simple. Where else in America can you be up at…

    9 Comments
  • Go-Go in flight serving up bogus SSL Certs!
    Jan 8, 2015

    Go-Go in flight serving up bogus SSL Certs!

    This specific bulletin really saddens me as I have been an active subscriber to this service. Again, as many are…

    3 Comments
  • Utah Business Fast50
    Aug 29, 2014

    Utah Business Fast50

    MasterControl again named to the Utah Fast50 as the 36th fastest growing business in Utah! Congrats to the entire staff…

    5 Comments
  • MasterControl v11 has launched!
    Aug 5, 2014

    MasterControl v11 has launched!

    http://mastercontrol.com/v11/ Sometimes accelerating your business means growing and expanding.

See all articles

Explore content categories