Microsoft patches FREAK and Stuxnet bugs for Windows PCs
One week after Microsoft released a security warning stating that hundreds of millions of Windows users could be at risk from the FREAK flaw, a bug that could allow hackers to intercept communications by forcing machines into loading weaker encryption, the Redmond company has issued an update (part of 14 updates for patch Tuesday) to fix the vulnerability.
The bug was not unique to Windows, and the FREAK update comes just one day after Apple Inc. issued a fix for iOS and OSX, while back on March 3rd Google released a patch for Chrome on Windows, OS X and Linux.
“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” said Microsoft, adding that, “The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.”
The vulnerability was discovered some weeks ago after French researchers found they could manipulate websites to use weak encryption, which they were then able to crack in a short time. After the encryption was broken the researchers could collect password data and take control of various elements of a webpage. Effectively, if hackers had exploited the flaw they would have been able to act as a man in the middle and come between users and servers on an insecure WiFi network. So far there is no evidence that the vulnerability was exploited by hackers.
FREAK (Factoring RSA Export Keys) originated in the 90’s when the U.S. government wanted to keep an eye on people, creating policies to weaken encryption and ban exports of the strongest encryptions. In spite of the law changing, some weaker encryptions migrated to modern software.
Also included in the updates was a Stuxnet bug patch, something Microsoft thought they had fixed back in 2010. Stuxnet was a worm allegedly created by the U.S. and Israeli governments some years ago to infiltrate Iran’s nuclear facility, crash computers, and in doing so destabilize Iran’s nuclear program. The worm has since been found on systems in other countries around the world.
Photo credit: Dave Rosen via photopin cc
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
