Microsoft on Thursday issued a security advisory acknowledging a vulnerability in all versions of Windows that could allow FREAK exploits.
Windows systems previously were thought to be immune to FREAK attacks.
“The vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique,” the advisory reads.
NSA’s Flaws Come Home to Roost
Apparently at the root of the problem are flaws the United States National Security Agency browbeat cryptographers into introducing in security algorithms.
Researchers at miTLS, a joint project between Microsoft Research and France’s Inria national research institute, earlier this week reported that although they are disabled by default, support for flawed algorithms remains in many implementations such as OpenSSL, and attackers can force servers to use them instead of stronger ones.
They dubbed such attacks “FREAK,” or “Factoring attack on RSA-EXPORT Key.”
A hacker just has to decrypt the key, which takes less than 12 hours and costs about US$50 on Amazon EC2, the researchers said.
The flaw could endanger millions of websites worldwide, as well as owners of computers and mobile devices running Windows, OS X, iOS and Android.
The NSA and the FBI are among the government agencies whose websites are vulnerable to FREAK attacks.
How FREAK Works
The flaw exists in export modules of security suites such as TLS_RSA_EXPORT_WITH_DES40_CBC_SHA. The U.S. government in the 1990s decreed they should have keys 512 bits long or less, so the U.S. could monitor foreign computers.
The designers of SSL created a negotiation mechanism that would identify the best cipher both parties could support, according to cryptographer Matthew Green.
Most modern clients, such as Web browsers, won’t offer the export grade cipher suites, and it was believed that few servers offered those weak suites.
However, some modern TLS clients such as Apple’s SecureTransport and OpenSSL have a bug that lets them accept RSA export-grade keys whether or not the client asks for them.
“The FREAK flaw allows for feasible decryption of SSL keys in hours using a man-in-the-middle proxy to trick a Web server to use weak encryption rather than the strongest available for the client browser,” said Philip Lieberman, president of Lieberman Software.
The attack “could be used to decrypt users’ names and passwords as well as other sensitive data that users think is protected by SSL,” he told TechNewsWorld.
Who’s at Risk
A connection is vulnerable when the server accepts RSA Export cipher suites and the client either offers such a suite or is using a version of OpenSSL that’s vulnerable to CVE-2015-0204, according to computer scientists at the University of Michigan.
They list a slew of vulnerable domains, including those for American Express, Bloomberg, NPR, MIT, the University of Michigan, Cornell University, National Geographic, Kohls, JCPenney, Groupon and TinyUrl.
“FREAK only affects old unpatched Web servers. None of the mainstream websites will be affected,” Spikes Security CEO Branden Spikes told TechNewsWorld.
Fixing the Problem
“Android’s connections to most websites — which include Google sites, and others without export certificates — are not subject to this vulnerability,” Google spokesperson Elizabeth Markman told TechNewsWorld.
Google has developed a patch to protect Android’s connection to vulnerable sites and has provided it to partners.
Microsoft includes instructions for a workaround in its security advisory: Users “can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor. “
It is working to develop a solution to the underlying problem.
Apple reportedly is rolling out a patch.
The Sky Is Not Falling
FREAK “is more or less a hypothetical threat based on a series of very unusual conditions that are unlikely to affect most users of the Internet,” Lieberman maintained.
The attack “depends on physical compromise of your connection and a series of lucky coincidences such as you running the right browser and hitting the right websites for now,” he explained.
“Many open source-based embedded systems with Web interfaces and general open source Web servers using older versions of OpenSSL will be in for another round of unpleasant patching,” Lieberman remarked.
“Heartbleed was a ‘you must patch’ scenario for Internet-facing sites,” Lieberman said, “FREAK is an interesting technique, but it shouldn’t keep anybody awake at night unless their Internet connection is tapped or they’re using WiFi without encryption and authentication.”