Microsoft: Internet Explorer, Windows vulnerable to FREAK attack

Microsoft: Internet Explorer, Windows vulnerable to FREAK attack

IE-Broken-348x196

Earlier this week, we covered the new FREAK attack (Factoring RSA Export Keys) that exploits decades-old security flaws to cripple security settings on modern browsers. At the time, it was believed Windows wasn’t affected. Microsoft has now released a statement that this isn’t true, and is advising users to apply a workaround until a patch can be provided. Affected operating systems include Windows Server 2003, Vista (all flavors), Server 2008, and all consumer versions of Windows, including Windows RT.

It appears that some Windows browsers are vulnerable while others aren’t — Internet Explorer 11, even when fully patched, still shows as vulnerable to the attack, while Firefox and Chrome don’t. The Microsoft workaround is shown below, but you’d best be comfortable with rooting around in the Group Policy Object Editor.

MS-Freak

Right now, the only fix is to manually tell Windows which ciphers are safe for use and which are not.

Google has already patched the version of Chrome for Mac to disable the problem, and Firefox is supposedly safe on all platforms. The formal iOS and OS X patches are still in the pipeline; Apple hasn’t provided an updated timeline for their release beyond “next week.”

As for how dangerous FREAK actually is, the practical risk appears to be relatively low. The greater problem is what FREAK represents. It’s a flaw that only exists because governments attempted to mandate weak cryptography in the mistaken belief that it could retain control of security standards for the “good” guys without handing bad guys additional flaws or attack vectors. The fact that the problem has existed, undetected, for over a decade suggests that groups like the NSA and other security agencies could well have exploited it in targeted attacks –and these are precisely the kinds of threats that the NSA is supposed to be capable of guarding against.

Backdoors don’t have morals. They don’t distinguish between good guys and bad guys, or good governments versus bad governments. They break security models simply by virtue of existing. And they can’t be used to balance government oversight against user or corporate security.

Presumably, Microsoft will issue a comprehensive patch to address this problem for people who don’t feel like jumping through the manual update process. We’ll update this post when the patch is available.