Microsoft Windows vulnerable to 'FREAK' encryption flaw too

Previously thought limited to Apple and Google browsers, the flaw leaves communications between affected users and websites open to interception.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

March 5, 2015 5:56 p.m. PT

2 min read

Windows machines are also vulnerable to a decade-old encryption flaw.

Computers running all supported releases of Microsoft Windows are vulnerable to "FREAK," a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw.

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems."

Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers.

The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.

"The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor," Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw's origins and effects. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today."