All supported versions of Windows operating systems end up affected by the FREAK attack that allows an attacker to force SSL/TLS cryptographic protocols to use an easy to beat RSA key to decrypt HTTPS traffic, researchers said.
At first researchers thought Apple and Android were the only vulnerable devices, but Microsoft released a security advisory saying Secure Channel, its implementation of the SSL/TLS protocols, can also suffer in the attack.
Short for Factoring RSA Export Keys, the FREAK attack first came out last Tuesday. It relies on an old specification for crypto-libraries that required providing the possibility to secure the connection with an export-grade, 512-bit RSA key possible to crack in seven hours, with an investment of $100.
Through a man-in-the-middle attack technique, an individual can intercept secure traffic between vulnerable clients and servers, and force the use of the weak RSA key for the encryption.
Following the disclosure, Microsoft started an investigation and said its security package could end up exploited via the FREAK technique, saying the problem was not specific to Windows and affected other products, too.
“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” the advisory says. The vulnerability now has a case number of CVE-2015-1637.
Microsoft created a workaround that would block known attack vectors until they come out with a patch. It consists of disabling the RSA key exchange cyphers.
At the moment, there is no information about the date a security update would release to completely mitigate the risk. The company said the patch could release via the monthly update cycle, but an out-of-band update is not excluded either.
According to FREAKAttack.com, a website that makes available details about the impact of the vulnerability on various products and operating systems, the number of servers currently affected is dropping.