ALL versions of Microsoft Windows also vulnerable to FREAK security flaw

[thai tech]

ALL versions of Microsoft Windows also vulnerable to FREAK security flaw



Computers running any previous supported release of Microsoft Windows are vulnerable to the FREAK security flaw, Microsoft has confirmed.

FREAK, which was discovered earlier this week, was only thought to affect Android and Apple’s Safari browser.

However, in this security advisory, Microsoft confirms that encryption protocols used in Windows, namely Transport Layer Security and Secure Sockets Layer, are also vulnerable to the security flaw.

Read more: http://tech.thaivisa.com/all-versions-of-microsoft-windows-also-vulnerable-to-freak-security-flaw/6403/

[Brit_Doggie]

Link to check if vulnerable.mine was clear.

https://freakattack.com/clienttest.html

[RichCor]

Ugh. I wish the people who posted these tech news topics were educated. This just comes across as click-bait and scar-mongering.

Windows is vulnerable.

Windows is vulnerable.

All systems that use a common security method that still included outdated protocols as fallback are vulnerable.

Make sure any system you want to keep secure has an upgrade procedure. Or swap out that device for a more 'secure' device (for whatever time that means).

I'm working on a scheme that will transport all the Thai Tech guys to the moon. I'm hoping they'll give a live report on what they find.

[Xircal]

Ugh. I wish the people who posted these tech news topics were educated. This just comes across as click-bait and scar-mongering.

Windows is vulnerable.

Windows is vulnerable.

All systems that use a common security method that still included outdated protocols as fallback are vulnerable.

Make sure any system you want to keep secure has an upgrade procedure. Or swap out that device for a more 'secure' device (for whatever time that means).

I'm working on a scheme that will transport all the Thai Tech guys to the moon. I'm hoping they'll give a live report on what they find.

Not so I regret to say. Microsoft has already confirmed the vulnerability: https://technet.microsoft.com/en-us/library/security/3046015?f=255&MSPPError=-2147217396

The good news is that Firefox is not affected either on a Windows PC, or on an Android phone. So it would be advisable to switch to that while the rest of the browser developers get their act together.

EDIT: Microsoft suggests a workaround in the above mentioned link to disable the RSA key exchange ciphers. However, this will only work provided the version of Windows in use includes the Group Policy Editor.

You can determine if that's the case by doing the following:

1. Hit Windows key + R to open the Run command.
2. Type: gpedit.msc and click OK
3. If it's not included with the version of Windows you have installed, you'll see the dialog box shown in the screenshot.

Edited March 6, 2015 by Xircal

[RichCor]

Not so ...what?

I said all systems are vulnerable. I would think an educated person would believe that Microsoft OSes would be included in the Ven Diagram of "all".

Yes, Microsoft said they're affected. Many other OSes and runtime environments should say they are too.

It's not specifically an 'OS' thing. It's a protocol thing.

Not sure why I'm being quoted.

[innerspace]

I'm not vulnerable, I refuse to use any sites that use SSL or TLS, http is fine.

Oh wait...

Btw, my pin number is 1468 and my gold is stored under the seat of my bike.

[96tehtarp]

Link to check if vulnerable.mine was clear.

https://freakattack.com/clienttest.html

Thanks for posting the link.

[Chicog]

Chrome on Window 10 is OK.

[nikster]

Posted in another thread but AFAIK both client and server need to be vulnerable so this can happen; all servers I tried using an online testing tool had been patched already (or never supported "export" grade certificates to begin with)

FWIW Chrome on OS X seems to be patched already.

Edited March 7, 2015 by nikster

[RichCor]

ZDNet posted a useful article on the issue:

FREAK flaw: ​How to protect yourself now

Summary:The FREAK security hole is more widespread than previously thought. Here's everything users and system administrators need to know in order to stay safe now.

...the miTLS Team, which discovered this decrepit FREAK security hole in the first place, the following SSL/TLS client libraries, are vulnerable.

• OpenSSL (CVE-2015-0204): versions before 1.0.1k.

• BoringSSL: versions before Nov 10, 2014.

• LibReSSL: versions before 2.1.2.

• SecureTransport: is vulnerable. A fix is being tested.

• SChannel: is vulnerable. A fix is being tested.

Web browsers that use these TLS libraries are open to attack. These include:

• Chrome versions before 41 on various platforms are vulnerable.

• Internet Explorer. Wait for a patch, switch to Firefox or Chrome 41, or disable RSA key exchange as detailed below using the Group Policy Object Editor

• Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41.

• Android Browser is vulnerable. Switch to Chrome 41.

• Blackberry Browser is vulnerable. Wait for a patch.

• Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.

As already mentioned, this is not an immediately usable exploit. While it's possible to trigger the secure link to fall back to previously weaker versions of security protocols, an attacker would still need to spend considerable time-intensive resources to break the weaker encryption.

If you really want to avoid the risk then switching to a patched client browser, and/or editing the Group Policy of your OS (where possible) can keep the issue at bay until patches are rolled out (where patched are still being rolled out, that is).

While your browser is one point of entry, there may be other processes on your system that utilize an affected security connect client library that are vulnerable to attack and later malware/trojan injection ... but will someone really go to the effort involved to attack you when so many easier/quicker breaches are available?

Personally, I'm using the latest version of Chrome and will wait for patches.