​Mega ‘FREAK’ bug affects Microsoft too, company warns

Reuters / Pichi Chuang
Microsoft now admits that its Windows operating systems are vulnerable to the colossal FREAK encryption bug, potentially putting millions of computer users at risk after initial reports about the flaw fell short of finding the tech giant susceptible.

On the heels ofreportsabout the bug that surfaced earlier this week, the Redmond, California based computer company admitted in a security advisory published on Thursday that “all supported releases of Microsoft Windows” can be exploited by the encryption bug.

Earlier reports indicated that Apple’s Safari browser and smartphones running off Android and Blackberry operating systems, among other devices, could be compromised through a newly discovered flaw that lets attackers decrypt supposedly secure traffic going from phones to websites and vice versa, prompting responses from Google and other affected parties.

“Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours,” Chris Timberg wrote for the Washington Post on Tuesday this week. “Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the web sites themselves by taking over elements on a page, such as a Facebook ‘Like’ button.”

But with the latest acknowledgement concerning all versions of Windows, according to Microsoft, millions more computers across the world could be exploited by the same technique.

“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,the company said on Thursday.

According to the tech giant, investigators determined that an attacker with the right tools could use the newly disclosed vulnerability to “force the downgrading of the cipher suites” used, in theory, to send data securely over the web through a protocol known as SSL/TLS.

“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems,” Microsoft said.

Chris Duckett, a reporter for tech website ZDnet, acknowledged that Microsoft’s 1,000-person strong research division was involved in discovering the FREAK bug with the assistance of European crypto experts, but “chose not to reveal Windows as vulnerable” until several days after details about the flaw first became apparent.

“When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers,” Microsoft said. “We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.”

Net Applications, a web analytics firm, believes more than three-quarters of the desktop computers in use around the globe run Windows operating systems.