Most computers and laptops around the world running Windows OS and Microsoft issued an advisory regarding the dangerous FREAK vulnerability affecting millions of PCs. The warning comes after researchers recently discovered the security flaw in SSL/TLS protocols that can steal highly sensitive data while visiting any website.
According to Microsoft's note, Windows-run programs such as Internet Explorer, Server 2008 and 2012 and other programs that rely on Schannel are affected by FREAK.
FREAK, which stands for Factoring Attack on RSA-EXPORT Keys, takes advantage of the weak encryption method and the decision made in the 1990s to limit the strength of RSA encryption keys to 512 bits. The bug enables SSL (Secure Sockets Layer) Man-in-the-Middle attacks and puts users' confidential information at risk.
"The FREAK attack is clear evidence of how far back the long tail of security stretches. As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build," Andrew Avanessian, Avecto's EVP of consultancy and technology services, told ZDNet in an email statement.
Initially, FREAK was said to threaten mobile devices and Mac computers but Microsoft's warning puts Windows users also at risk. Browsers in Mac, Android phones and Windows OS can expose users to hackers. But browsers such as Google Chrome and computers running a stronger encryption like 1048-bit and 2048-bit are safe from FREAK.
Important Tips On Protecting Your Windows PC from FREAK Attacks
To verify if your computer/browser is affected by FREAK, run the FREAK Attack Client Check on Chrome, IE, Safari, mobile browsers and Firefox.
- Update your browsers. Google Chrome 41 and above or latest Firefox across all platforms are safe to use.
- Do not use Internet Explorer, Safari, Android Browser, BlackBerry Browser, Opera on Mac and Android, all of which are vulnerable until a patch is released.
- Windows XP and Windows Server 2003 users are at high risk of FREAK attacks. Server 2003 support ends in July.
- Disable RSA key exchange ciphers. Refer to Microsoft's step-by-step guide.
- Update the antivirus with the latest patch to protect your computers.
- Enable firewall and check for latest Microsoft updates.
Microsoft is yet to release patches to protect Windows PCs from FREAK while Apple and Google have confirmed that a software update is coming as soon as next week to fix the vulnerability.