Microsoft gets its FREAK on fast, patches encryption bug in Windows

Microsoft today patched Windows to prevent possible FREAK attacks against users of Internet Explorer.

Microsoft today patched Windows to prevent possible FREAK attacks against users of Internet Explorer (IE).

MS15-031 patches Schannel, the set of Windows protocols that, among other things, accesses the OS's cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security).

Even though Microsoft acknowledged last week that Windows was susceptible to FREAK attacks -- adding millions more potential victims -- the company reminded everyone today that the flaw wasn't exclusive to Windows, using boilerplate that it typically trots out in such instances.

"This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems," said the bulletin. "The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems."

Microsoft rated MS15-031 as "important," its second-most-serious threat ranking. The bulletin affected every supported version of Windows, from Server 2003 -- which will be retired in July -- and Windows 7 to Windows 8.1 and Server 2012 R2. Because Windows XP dropped off the public support list in April 2014, it did not receive an update, even though the OS is also almost certainly vulnerable.

FREAK, for "Factoring on RSA-EXPORT Keys," was the name assigned last week by researchers from Microsoft and INRIA, a French research institute, to a design flaw that could let cyber criminals silently force a browser-server connection to fall back to long-discarded encryption standards, even on operating systems whose makers believed they had effectively disabled those libraries, as had Microsoft since Windows Vista and Server 2008. The at-risk ciphers were guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services.

The weaker ciphers were once the only allowed for export outside the U.S. Although export rules were gradually relaxed in the late 1990s, then largely abandoned in the following years, some browsers and servers still blithely supported the fallback to them.

Criminals would likely leverage the bug through a classic "man-in-the-middle" (MITM) attack, where they insert themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.

Microsoft's fix followed updates issued yesterday by Apple for both iOS and OS X, and an even earlier one released by Google on March 3 for Chrome on Windows, OS X and Linux.

Microsoft's quick reaction to the FREAK flaw was unusual: The company usually takes a minimum of weeks to craft and test a patch. "A bit actually," said Andrew Storms, vice president of security services for New Context, when asked if he was surprised by Microsoft's speedy fix.

Computerworld verified that the MS15-031 update successfully patched IE against FREAK. Previously, IE11 on Windows 7 had been reported as vulnerable when tested on, a site maintained by a group of computer scientists at the University of Michigan, some of whom are also responsible for the open-source ZMap network scanner project.

MS15-031 was one of 13 security updates Microsoft released today.

Windows users can obtain March's Patch Tuesday slate, including the FREAK fix, via the Windows Update service, as well as through the enterprise-oriented WSUS (Windows Server Update Services).

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesantispamMicrosoftsecurity

More about AppleGoogleLinuxMicrosoftRSATransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place