Dubbed FREAK, short for Factoring Attack on RSA-EXPORT Keys, the bug that has been present in the basic protocol for secure transfer of information across the internet for years was only uncovered this week.
Initially reported as only affecting Android, iOS, OS X and BlackBerry devices, Microsoft revealed today that Windows is also vulnerable.
In a security advisory published on TechNet, Microsoft acknowledged that FREAK could compromise “all supported releases of Microsoft Windows”. FREAK can be used by hackers on windows through a weakness in the company’s Schannel software that implements the secure protocols SSL and TLS for internet transfer.
Scanning site FREAKAttack.com which can detect if the exploit can be run on a device confirmed that Internet Explorer 11 on a fully updated Windows 7 was vulnerable and at risk of being compromised, rejecting previous beliefs that Windows was immune from this security issue.
FREAK makes it possible for external hackers to monitor traffic between compromised web browsers and servers. They can then force the browser to use a weak encryption key to transmit data through the injection of malicious code or pose as the intended website so that data can be intercepted, read and modified. This could include any personal information and passwords used online and also payment details during transactions.
Apple has not yet updated OS X or iOS to protect against the issue. The company has said that it intends to do so next week. Google is also yet to release an update to Google Chrome on Android, despite updating Chrome on Mac.
Microsoft will update Windows in a future security patch. Meanwhile, the severity of FREAK is believed by security researchers to be very high because of the sheer number of websites and servers that rely on HTTPS to communicate with browsers.
In a scan of 14 million HTTPS protected websites by security researchers, 36% of them could be fooled into thinking they were on a secure connection with a client through the use of FREAK.
