Flaws in SSL/TLS

All Versions of Windows Vulnerable to FREAK Attack, Confirms Microsoft

MAR 6, 2015

There’s bad news for any Windows users who were thinking that the recently-announced FREAK vulnerability wasn’t something they had to particularly worry about.

When first announced, it was thought that the newly-discovered flaw in SSL/TLS was limited to Apple’s Safari and Google’s Android web browsers, opening the possibility of hackers and intelligence agencies intercepting HTTPS-protected internet communications with hundreds of thousands of websites.

However, a new Microsoft security advisory warns Windows’ encryption protocols are also vulnerable.

Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems.

The good news is that Microsoft doesn’t have any evidence to believe that the flaw has been exploited publicly to attack its customers.

The bad news is that isn’t proof that it hasn’t happened, or that it won’t happen now online criminals have been given the nod that such an attack might be possible.

As it is, the FREAK (Factoring attack on RSA-EXPORT Keys, also known as CVE-2015-0204) vulnerability has been around for more than a decade, unnoticed by the security community until recently when it was uncovered by a group of researchers who discovered they were able to force websites into using weakened encryption, which it was then possible to crack within a few hours.

Ironically, the FREAK problem only exists because in the 1990s the US government attempted to stop products being sold overseas if they incorporated strong encryption. Instead, it allowed “export-grade” (a synonym for “weak”) encryption to be used instead.

The silver lining on the cloud is that Microsoft says it is working on a fix, and successful exploitation of the FREAK vulnerability is probably less likely to be exploited widely than, say, the Heartbleed or Shellshock flaws.

As Tripwire senior security analyst Ken Westin says, “It is still important to update systems as vendors make patches available.”

Wise words that we all should follow.

Tripwire IP360 has included coverage for FREAK/CVE-2015-0204 since it was first released in January 2015, as well as detection capabilities for weak export grade ciphers that enable this attack vector. If you’re not already a Tripwire IP360 user, you can sign up free for Tripwire SecureScan — a complementary vulnerability scanning service for up to 100 IPs.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security.