Skip to main content

Microsoft patches FREAK vulnerability

Microsoft has patched FREAK, a decade old security flaw which allowed man-in-the-middle (MiTM) attacks on its OS Windows.

With FREAK, attackers could intercept secured network communications.

An attacker could use the flaw to secretly access and even alter communications between two parties, said Amol Sarwate, director of engineering at security firm Qualys, PC World writes (opens in new tab).

While the FREAK flaw itself resides in SSL, Microsoft has fixed the SSL implementations in its own software through MS15-031.

Last week, news broke out that both iOS and Windows were vulnerable to FREAK, and now both of those OS's have issued patches fixing the problem (opens in new tab).

The flaw is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is deemed very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.

While these rules were ditched before the 1990s were out, the problem is that the weaker encryption was baked into popular software, and is in fact still around today.

The security update bundle Microsoft released also fixes another old bug – Stuxnet.

Stuxnet is a computer worm discovered in June 2010, and designed to attack industrial programmable logic controllers. The worm reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges of their nuclear facilities to tear themselves apart.

Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.