- Jan 24, 2011
- 9,378
Relax! We've got a (server-knackering) workaround to sort things out, says Microsoft
Microsoft says its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAKencryption-downgrade attack.
This means if you're using Windows, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to use weak encryption over the web.
Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Redmond says in an advisory.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The bug (CVE-2015-1637) in Windows' Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.
The FREAK (Factoring attack on RSA-EXPORT Keys) mess revealed this week allows bad guys to decrypt login cookies and other sensitive information from HTTPS connections to vulnerable browsers.
Redmond is pushing out details of defensive mechanisms through its Microsoft Active Protections Program. It offers imperfect workarounds including changing of the registry in Server 2003 to disable vulnerable key exchange ciphers which it warns could cause "serious problems".
Read more: http://www.theregister.co.uk/2015/03/06/all_microsoft_windows_versions_vulnerable_to_freak/
Microsoft says its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAKencryption-downgrade attack.
This means if you're using Windows, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to use weak encryption over the web.
Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Redmond says in an advisory.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The bug (CVE-2015-1637) in Windows' Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.
The FREAK (Factoring attack on RSA-EXPORT Keys) mess revealed this week allows bad guys to decrypt login cookies and other sensitive information from HTTPS connections to vulnerable browsers.
Redmond is pushing out details of defensive mechanisms through its Microsoft Active Protections Program. It offers imperfect workarounds including changing of the registry in Server 2003 to disable vulnerable key exchange ciphers which it warns could cause "serious problems".
Read more: http://www.theregister.co.uk/2015/03/06/all_microsoft_windows_versions_vulnerable_to_freak/