UPDATED 07:41 EDT / MARCH 11 2015

Microsoft patches FREAK and Stuxnet bugs for Windows PCs

lockOne week after Microsoft released a security warning stating that hundreds of millions of Windows users could be at risk from the FREAK flaw, a bug that could allow hackers to intercept communications by forcing machines into loading weaker encryption, the Redmond company has issued an update  (part of 14 updates for patch Tuesday) to fix the vulnerability.

The bug was not unique to Windows, and the FREAK update comes just one day after Apple Inc. issued a fix for iOS and OSX, while back on March 3rd Google released a patch for Chrome on Windows, OS X and Linux.

This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” said Microsoft, adding that, “The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.”

The vulnerability was discovered some weeks ago after French researchers found they could manipulate websites to use weak encryption, which they were then able to crack in a short time. After the encryption was broken the researchers could collect password data and take control of various elements of a webpage. Effectively, if hackers had exploited the flaw they would have been able to act as a man in the middle and come between users and servers on an insecure WiFi network. So far there is no evidence that the vulnerability was exploited by hackers.

FREAK (Factoring RSA Export Keys) originated in the 90’s when the U.S. government wanted to keep an eye on people, creating policies to weaken encryption and ban exports of the strongest encryptions. In spite of the law changing, some weaker encryptions migrated to modern software.

Also included in the updates was a Stuxnet bug patch, something Microsoft thought they had fixed back in 2010. Stuxnet was a worm allegedly created by the U.S. and Israeli governments some years ago to infiltrate Iran’s nuclear facility, crash computers, and in doing so destabilize Iran’s nuclear program. The worm has since been found on systems in other countries around the world.

Photo credit: Dave Rosen via photopin cc


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU