Microsoft Windows is also vulnerable to FREAK, a decade-old security flaw.
Security researchers announced on Wednesday that Apple’s Safari and Google’s Android browser were vulnerable to the flaw, but now we know that Windows can be affected, too.
Microsoft warned that the encryption protocols used in Windows – Secure Sockets Layer and its successor Transport Layer Security – were also vulnerable to the flaw, cNet reports.
“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in its advisory. “The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems.”
A fix is expected during the regularly scheduled Patch Tuesday, or maybe even sooner, with an out-of-cycle patch. In the meantime, Microsoft recommends disabling the RSA export ciphers.
The flaw is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is deemed very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.
While these rules were ditched before the 1990s were out, the problem is that the weaker encryption was baked into popular software, and is in fact still around today.
Apple and Google have fixes readied for the Safari and Android browsers, with Google having developed a patch for its OS which the company says it has already sent out to partners.