Microsoft gets its FREAK on fast, patches encryption bug in Windows
MS15-031 patches Schannel, the set of Windows protocols that, among other things, accesses the OS's cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security).
Even though Microsoft acknowledged last week that Windows was susceptible to FREAK attacks -- adding millions more potential victims -- the company reminded everyone today that the flaw wasn't exclusive to Windows, using boilerplate that it typically trots out in such instances.
"This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems," said the bulletin. "The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems."
Microsoft rated MS15-031 as "important," its second-most-serious threat ranking. The bulletin affected every supported version of Windows, from Server 2003 -- which will be retired in July -- and Windows 7 to Windows 8.1 and Server 2012 R2. Because Windows XP dropped off the public support list in April 2014, it did not receive an update, even though the OS is also almost certainly vulnerable.
FREAK, for "Factoring on RSA-EXPORT Keys," was the name assigned last week by researchers from Microsoft and INRIA, a French research institute, to a design flaw that could let cyber criminals silently force a browser-server connection to fall back to long-discarded encryption standards, even on operating systems whose makers believed they had effectively disabled those libraries, as had Microsoft since Windows Vista and Server 2008. The at-risk ciphers were guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services.
The weaker ciphers were once the only allowed for export outside the U.S. Although export rules were gradually relaxed in the late 1990s, then largely abandoned in the following years, some browsers and servers still blithely supported the fallback to them.
Criminals would likely leverage the bug through a classic "man-in-the-middle" (MITM) attack, where they insert themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.
Microsoft's fix followed updates issued yesterday by Apple for both iOS and OS X, and an even earlier one released by Google on March 3 for Chrome on Windows, OS X and Linux.
Microsoft's quick reaction to the FREAK flaw was unusual: The company usually takes a minimum of weeks to craft and test a patch. "A bit actually," said Andrew Storms, vice president of security services for New Context, when asked if he was surprised by Microsoft's speedy fix.
Computerworld verified that the MS15-031 update successfully patched IE against FREAK. Previously, IE11 on Windows 7 had been reported as vulnerable when tested on FREAKattack.com, a site maintained by a group of computer scientists at the University of Michigan, some of whom are also responsible for the open-source ZMap network scanner project.
MS15-031 was one of 13 security updates Microsoft released today.
Windows users can obtain March's Patch Tuesday slate, including the FREAK fix, via the Windows Update service, as well as through the enterprise-oriented WSUS (Windows Server Update Services).