Microsoft's Windows systems are vulnerable to an encryption bug that allows hackers to intercept encrypted communications between infected websites and end users.
Previously, the bug called FREAK, short for Factoring attack on RSA-EXPORT Keys, was said to have affected only Apple's Safari for iOS and OS X devices and all smartphones and tablets running on Google's Chrome for Android. However, a security advisory released by Microsoft Thursday shows the bug is found in majority of its operating systems, including Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows RT, Windows Vista, Windows 7, Windows 8, and Windows 8.1.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TSL connection on a Windows client system," says Microsoft. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are considered by security experts as "the most important security protocols on the Internet," which are designed to secure communications by encrypting data passing between the parties involved. FREAK, however, circumvents the protection by targeting vulnerable websites that can be forced by hackers to use an aged 512-bit encryption key, which can then be broken for a few hours and a hundred dollars.
A scan of more than 14 million websites with TLS encryption shows 36 percent are configured to use the weak encryption key, including U.S. government websites such as WhiteHouse.gov, NSA.gov, and IRS.gov. Popular websites such as Bloomberg.com, MIT.edu, JCPenney.com, Cornell.edu, and USAJobs.gov are also among those affected, according to FREAKAttack.com.
On Thursday, Google released a security patch for Chrome for Mac, but the Windows version remains vulnerable and Google did not say when users could expect a fix. Apple said it will release an update next week. Meanwhile, Microsoft says it is "actively working" with its partners in its Microsoft Active Protection Program to provide early-access protection, which will then be rolled out for consumers.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers," Microsoft says. "This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
Security experts are divided as to the severity of the vulnerability. Despite the large number of devices affected, some experts believe the nature of FREAK makes it difficult for hackers to carry out attacks in large numbers, which is likely one of the reasons why Google, Apple, and Microsoft are not issuing fixes immediately. Others, however, say the fact that the bug has been around for more than 10 years should raise a red flag to affected companies.
FREAK was discovered by researchers who found out they could intentionally break encryption keys in some websites for only a few hours. The security hole, they say, is due to a U.S. ban on stronger encryption standards, which was lifted in the 1990s.
"The export-grade RSA ciphers are the remains of a 1980s-vintage effect to weaken cryptography so that intelligence agencies would be able to monitor foreign traffic," says Matthew Green, cryptographer and research professor at Johns Hopkins University and part of the team that discovered FREAK. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today."
Photo: Mike Mozart | Flickr