Microsoft on Thursday confirmed that Windows is indeed vulnerable to the dreaded FREAK attacks that were reported earlier this week. Microsoft said it was aware of a security feature bypass vulnerability in Secure Channel, or Schannel, that affects all supported versions of Microsoft Windows.
Information security firm IANS has determined the FREAK flaw, which stands for Factoring RSA-Export Keys, can likely be traced back to the U.S. government restrictions from the 1990s that made it illegal to export highly encrypted products overseas.
According to FreakAttack.com, a site dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable, the FREAK attack is possible when a vulnerable browser connects to a susceptible Web server — a server that accepts “export-grade” encryption.
How Far Does this Spread?
“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft reported in a security advisory.
“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
Public disclosure of the FREAK vulnerability first occurred March 3, when researchers announced they had discovered the SSL/TLS vulnerability. According to FreakAttack.com, it allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption. That sets the stage for the attacker to steal or manipulate sensitive data.
Until Microsoft’s announcement Thursday, it was believed the vulnerability only affected the Android and Apple’s Safari Web browsers, which rely on OpenSSL to establish secure connections.
Thousands of Web sites are believed affected. FreakAttack.com lists some. A few of the more popular ones are AmericanExpress.com, Groupon.com, NationalGeographic.com, Bloomberg.com and TinyURL.com. As for Microsoft, the company said it was “actively” working with partners in its Microsoft Active Protections Program to provide information they can use to offer broader customer protection.
Just Common Sense
We asked Craig Young, security expert at advanced threat protection firm Tripwire, for his thoughts about FREAK. He told us this is a situation where common sense security goes a long way.
“Windows users should not be particularly concerned about this attack but it would be wise to disable the RSA key exchange ciphers, as Microsoft recommends particularly on systems which are used on public wireless networks,” Young said. “Systems which automatically connect to any open wireless network can be most easily subverted to join an attacker-controlled network where FREAK can be exploited.”
As Young sees it, this entire situation should also be considered in the future when thinking about watering down or adding backdoors to encryption schemes in the name of national security.
Although this is a highly targeted attack, Young said, the attacker must target specific sites with support for export encryption and then spend the effort to crack their 512-bit RSA ephemeral key.
“Also since they key may change periodically as services are restarted, the attacker can have a limited timeframe to successfully man-in-the-middle [attack] a victim,” Young said. “In my opinion, issues like the SuperFish malware are much more concerning for the possibility of highly successful MiTM attacks.”