It was reported recently that Apple’s and Google’s browsers are vulnerable to the so-called “FREAK” hacking attack and that Windows PCs aren’t. However, it turns out that they actually are, according to a report from Lucian Constantin of PC World.
Microsoft warns of FREAK vulnerability
On Thursday, Microsoft warned Windows PC users that many PCs are vulnerable to the so-called “FREAK” (factoring attack on RSA-EXPORT keys) hole. That vulnerability was the result of a decades-old government policy that required the strength of RSA encryption keys to be limited in some implementations of SSL.
Hackers who take advantage of the vulnerability could then force servers and clients to use weak encryption, making it easier for them to get in. Even though the government guideline requiring a limit on encryption is no longer in effect, there are still many servers supporting the weak cipher suites. As a result, some SSL / TSL clients can be forced to take them, according to Constantin.
Microsoft offers workaround
In its warning, Microsoft said Secure Channel, which is a crypto library that all supported Windows versions have, is also unprotected against the FREAK flaw. This means that, contrary to previous reports, Internet Explorer and any other programs that use Secure Channel are vulnerable.
The company offered a workaround for those who are able to implement it. Apparently IT administrators can disable the RSA key exchange cyphers through the Group Policy Object Editor. The problem with this workaround, however, is that some servers might refuse connections from these PCs. Also the workaround can’t be used on Windows Server 2003, which is vulnerable.
Check if your PC is open to FREAK
Constantin suggests PC users visit the University of Michigan’s website to see if their browser is open to the FREAK flaw. The website also gives a list of the HTTPS websites that are open to attack through the FREAK hole.
In addition, the site includes details about what Google, Apple, Microsoft and other companies are doing to close the vulnerability in their products. Google has already pushed out a patch for Chrome on Mac, while Apple isn’t expected to roll out a patch for Safari until next week.
