Skip to main content

Microsoft patches FREAK vulnerability

Microsoft has patched FREAK, a decade old security flaw which allowed man-in-the-middle (MiTM) attacks on its OS Windows.

With FREAK, attackers could intercept secured network communications.

An attacker could use the flaw to secretly access and even alter communications between two parties, said Amol Sarwate, director of engineering at security firm Qualys, PC World writes.

While the FREAK flaw itself resides in SSL, Microsoft has fixed the SSL implementations in its own software through MS15-031.

Last week, news broke out that both iOS and Windows were vulnerable to FREAK, and now both of those OS's have issued patches fixing the problem.

The flaw is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is deemed very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.

While these rules were ditched before the 1990s were out, the problem is that the weaker encryption was baked into popular software, and is in fact still around today.

The security update bundle Microsoft released also fixes another old bug – Stuxnet.

Stuxnet is a computer worm discovered in June 2010, and designed to attack industrial programmable logic controllers. The worm reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges of their nuclear facilities to tear themselves apart.

Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges.