Computers running all supported releases of Microsoft Windows are vulnerable to FREAK, a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.
The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows – Secure Sockets Layer and its successor Transport Layer Security – were also vulnerable to the flaw.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory message. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry wide issue that is not specific to Windows operating systems." Microsoft said it would likely address the flaw in its regularly scheduled Patch update or with an out-of-cycle patch. Meantime, Microsoft suggested disabling the RSA export ciphers.
The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered it could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.
Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.
110 Reykjavik, Iceland