For some, their high horse ride has come to an end. Windows users who were standing on their soap boxes and pointing fingers at Android, Mac OS and iOS users who were subjects of an SSL/TLS vulnerability, will now join them to some degree.
Microsoft confirmed today, the FREAK Attack vulnerability that exists in Secure Channel (Schannel), affects all versions of Windows. The Schannel is a security package that implements the SSL/TLS authentication protocols. The authentication process can now be used as an exploit that allows would-be attackers the ability to downgrade an encrypted SSL/TLS session while forcing client systems to use a weaker and export-grade RSA cipher in the process.
Essentially this is a man-in-the-middle (MITM) exploit that allows attackers the ability to intercept and decrypt encrypted traffic. Bad stuff.
This FREAK Attack is garnering a lot of attention as it is reported to have affected more than a third of HTTPS servers with browser-trusted certificates. Most of the top used browsers have been or are affected including, Internet Explorer, Chrome on OSX, Android, Safari, iOS, stock AOSP Android browser, BlackBerry browser, Opera on OSX, and Linux.
Google has already issued a patch for Chrome on OSX and Apple will be following suit with a patch for Safari sometime next week.
While Microsoft says that they have found no evidence that this exploit has been in use for Windows users, they will be making an effort (possibly applying an off-scheduled update) to address this attack.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
There are precautions Windows users can take while they wait for Microsoft to patch this vulnerability. Microsoft is advising that Windows users disable RSA key exchange using Group Policy Object Editor, which has been an available option in Windows since Vista. This stop-gap disables the attacker’s ability to launch the FREAK attack as it is reliant on server support of export-grade cipher suites.