Windows is susceptible to 'FREAK' after all

Microsoft has confirmed that all Windows PCs are at risk from an HTTPS exploit known as FREAK that has already affected a raft of Android and Apple devices.

The bug was originally disclosed on Monday and it was thought that PCs running Windows weren't affected by the exploit that has existed for more than 10 years and allows attackers to easily decrypt traffic sent over an HTTPS connection between end users and websites.

Attacks can be carried out when an end-user on a vulnerable device connects to an HTTPS-protected site that is also vulnerable, and those sites that are at risk are ones that use the weak cipher that was thought to be long retired.

FREAK, which stands for factoring attack on RSA-EXPORT keys, allows those monitoring the traffic to introduce malicious packets into the traffic flow that force the end user and site to use a weaker 512-bit encryption key while in an encrypted web session.

Attackers can collect information transmitted over this exchange by using the cloud to factor the website's underlying private key. This process costs just $100 (around £66, or AU$130) and takes around seven hours to complete. Once that has taken place, the attacker can act as the official HTTPS-protected site to potentially read or modify data travelling between the site and end users.

No Windows patch

The scale of the problem was laid bare by a report by security researchers on FREAKattack.com that found 36% of the 14 million HTTPS-protected sites it surveyed were using the weak cipher.

Apple and Google have already released updates that get around the problem and, although Microsoft has yet to develop a patch to bypass the problem that affects all consumer versions of Windows, it is advising users to apply a workaround that is detailed here.

Via: Ars Technica

• Why you need to encrypt data in the cloud