Skip to main content

After Safari and iOS, Windows also vulnerable to FREAK

Microsoft Windows is also vulnerable to FREAK, a decade-old security flaw.

Security researchers announced on Wednesday that Apple’s Safari and Google’s Android browser were vulnerable to the flaw, but now we know that Windows can be affected, too.

Microsoft warned that the encryption protocols used in Windows - Secure Sockets Layer and its successor Transport Layer Security - were also vulnerable to the flaw, cNet reports (opens in new tab).

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems."

A fix is expected during the regularly scheduled Patch Tuesday, or maybe even sooner, with an out-of-cycle patch. In the meantime, Microsoft recommends disabling the RSA export ciphers.

The flaw is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is deemed very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.

While these rules were ditched before the 1990s were out, the problem is that the weaker encryption was baked into popular software, and is in fact still around today.

Apple and Google have fixes readied for the Safari and Android browsers, with Google having developed a patch for its OS which the company says it has already sent out to partners.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.