After confirming that all Windows computers are vulnerable to a FREAK attack, Microsoft released a patch on March 10 that protects machines against data interception. The announcement was made on the company’s TechNet blog.
“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” the post stated.
The MS15-031 update, as it’s been named, is being recommended to Windows users for installation. Microsoft has fixed SSL implementations in its software to reduce the chances of a FREAK attack.
FREAK is short for Factoring attack on RSA-EXPORT Keys. When a FREAK attack occurs, hackers have the ability to intercept information that is transferred between an end-user and a website. The attacker begins by injecting malware into the connection that causes the two parties to use a weak, 512-bit encryption key. After this has happened, the weak connection allows the hacker to tap into sensitive data.
Microsoft had originally said that Windows was not vulnerable to an attack, but quickly backtracked with an announcement on its TechNet blog last week.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows,” the company wrote. “We are actively working with partners in our Microsoft Active Protections Program to provide information that they can use to provide broader protections to customers.”
Smartphones and devices that run iOS or Android have been deemed susceptible to FREAK attacks, so Windows users aren’t the only ones with something to worry about.
- Virtually all banking web apps are vulnerable to hackers, study finds
- Cortana flaw enables hackers to load malicious websites from the lock screen
- Hackers could attack 1 million websites in a content management system flaw
- Hackers could seize robots with ransomware, costing companies millions
- Microsoft’s OneDrive now has your back in a ransomware attack