14 DAY TRIAL // The FREAK attack that allows an attacker to force SSL/TLS cryptographic protocols to use an RSA key that can be cracked and used to decrypt HTTPS traffic affects all supported versions of Windows operating system.
Initially, it was believed that only Apple and Android devices were vulnerable, but Microsoft released a security advisory informing that Secure Channel (Schannel), its implementation of the SSL/TLS protocols, can also be exploited by the attack.
Short for Factoring RSA Export Keys, the FREAK attack was disclosed on Tuesday. It relies on an old specification for crypto-libraries that required providing the possibility to secure the connection with an export-grade, 512-bit RSA key that can now be cracked in about seven hours, with an investment of $100 / €90.
The issue is not specific to Windows
Through the man-in-the-middle attack technique, an individual can intercept secure traffic between vulnerable clients and servers, and force the use of the weak RSA key for the encryption.
Following the disclosure, Microsoft started an investigation of Schannel and announced on Thursday that its security package could be exploited via the FREAK technique, stressing that the problem was not specific to Windows and affected other products, too.
“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” the advisory says.
The glitch in Schannel is now tracked as CVE-2015-1637.
Fix not scheduled for release yet
The software giant proposes a workaround that would block known attack vectors until a patch is provided. It consists in disabling the RSA key exchange cyphers.
At the moment, there is no information about the date a security update would be issued to completely mitigate the risk. The company says that the patch could be released via the monthly update cycle, but an out-of-band update is not excluded either.
According to FREAKAttack.com, a website that makes available details about the impact of the vulnerability on various products and operating systems, the number of servers currently affected is dropping.
Out of the top one million servers ranked by Alexa, 9.5% are currently vulnerable, a drop from 12.2% recorded previously. Initially, researchers at the University of Michigan scanned 14 million websites that provided a browser certified secure connection with clients and found that 36% were vulnerable to the FREAK attack.
Windows and OS X desktop versions of Google Chrome are safe to use, but the Android version should be avoided. Safari web browser on OS X and iOS is expected to receive a fix next week.
On mobile devices, users can turn to Firefox for browsing, as the product is currently considered to be safe from the attack.