Time for all Windows users to FREAK out over encryption bug

ComputerWorld ^ | Mar 6, 2015 | Gregg Keizer

[dayglored]

Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk.

The news was a turnabout from earlier in the week, when researchers initially fingered only Apple's iOS and OS X and Google's Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers.

By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month.

In a security advisory released Thursday, Microsoft said Windows was, in fact, vulnerable to FREAK (Factoring attack on RSA-EXPORT Keys).

"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft said in the advisory. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

...

[dayglored]

For a few days, it appeared Windows users didn't have to worry about this rather nasty bug -- Apple and Android got all the attention.

But it is confirmed by Microsoft and other researchers that in fact, Windows users need to be aware and patch their systems ASAP.

[dayglored]

Heads up guys. Ping to appropriate lists, please.

[Paladin2]

IE? Is that still around? And how did Gate$ manage to get compensated for that?

[dayglored]

> "Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft said in the advisory. That's everybody, folks.

And you people still running Windows XP -- tough beans, you ain't getting a patch.

[CyberAnt]

I have had two security updates from Windows in the past two weeks. Plus, Norton has always been updating everyday, so I have not had any issues.

Exactly what is supposed to happen if you do get the bug ..??

[ShadowAce]

[Darksheare]

It isn’t a bug if it was purposeful.
Does anyone really think NSA didn’t use it to snoop?

[dayglored]

> Exactly what is supposed to happen if you do get the bug ..??

Somebody steals your identity, your financial info, your passwords, whatever you THOUGHT was encrypted.

http://en.wikipedia.org/wiki/FREAK

[CyberAnt]

Well, with Norton and LifeLock, I don’t expect any surprises.

[Swordmaker]

But it is confirmed by Microsoft and other researchers that in fact, Windows users need to be aware and patch their systems ASAP.

Hmmmmm . . . I think I shall have tell someone, not necessarily you, I TOLD YOU SO!

[FreedomPoster]

Firefox just did an “important!” point release. I wonder if this was why?

[dayglored]

> Well, with Norton and LifeLock, I don’t expect any surprises.

I don’t think those will help prevent it, although Lifelock may help you recover.

This is something in Windows and IE that only Microsoft can fix, as far as I know.

[dayglored]

I don’t know. I suppose it could be related, but I wouldn’t bet on it solving the basic underlying problem.

[dayglored]

Hi Sword,

Well, it’s certainly not the first time a bunch of tech whores, sorry, journalists got their rocks off writing a headline with “Apple” in it. It’s all about those page hits... And they aren’t so likely with a vulnerability that affects Windows too. That’s like, “big deal, yawn...”

[Swordmaker]

Well, it’s certainly not the first time a bunch of tech whores, sorry, journalists got their rocks off writing a headline with “Apple” in it. It’s all about those page hits... And they aren’t so likely with a vulnerability that affects Windows too. That’s like, “big deal, yawn...”

They sure did get their page hits, didn't they. . . and it IS Apple FUD Season, after all.

[Axenolith]

Dogs sleep with cats, burning hail falls, sulfurous fumes rise from the earth, the Federal Reserve closes its doors, widespread panic...

The usual stuff.

[867V309]

Firefox just did an “important!” point release. I wonder if this was why?

Glad to see you are following the time-honored Free Republic tradition of posting without reading the source article, which included this graphic:

[dayglored]

> it IS Apple FUD Season, after all.

True, although to be accurate, this one, at least, isn't FUD. It's a real vulnerability, and a serious one.

It amazes me that the old RSA short-key handling etc. wasn't purged a decade ago. Geez, guys.

[dayglored]

> Glad to see you are following the time-honored Free Republic tradition of posting without reading the source article,...

LOL. Thanks for posting the graphic.

[__rvx86]

I’ve already patched my server. Currently working on POODLE/TLSv1.