Microsoft reveals Windows vulnerable to FREAK SSL flaw
Summary:Redmond has said that the FREAK security flaw is
found in versions of its Windows operating system from Windows Server
2003, Windows Vista, and higher.
Although Microsoft Research was part of the team to uncover FREAK alongside European cryptographers, Redmond chose not to reveal Windows as vulnerable until today.
"When this security
advisory was originally released, Microsoft had not received any
information to indicate that this issue had been publicly used to attack
customers," the company said.
Microsoft said it is "actively working" with its Microsoft Active Protections Program partners to protect them, and once it has completed an investigation, it would "take the appropriate action to help protect customers".
"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," Microsoft said.
Affected versions of Windows include Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and Windows RT.
Microsoft said users could disable the RSA key exchange ciphers that result in FREAK by changing the SSL Cipher Suite in the Group Policy Object Editor -- unless they are using Windows Server 2003, which does not allow for individual ciphers to be enabled and disabled.
"Windows servers are not impacted in the default configuration (export ciphers disabled)," the company said.
After claiming the software stacks that rely on Apple TLS/SSL and OpenSSL earlier in the week, companies have been scrambling to release patches for impacted systems.
At the time of writing, the list of affected web browsers on freakattack.com included Internet Explorer, Chrome on Android, the stock Android browser, Safari on Mac OS X and iOS, BlackBerry browser, and Opera on Mac OS X and Linux.
Users can test whether their web browser is affected at the FREAK Client Test Tool.
Microsoft said it is "actively working" with its Microsoft Active Protections Program partners to protect them, and once it has completed an investigation, it would "take the appropriate action to help protect customers".
"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," Microsoft said.
Affected versions of Windows include Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and Windows RT.
Microsoft said users could disable the RSA key exchange ciphers that result in FREAK by changing the SSL Cipher Suite in the Group Policy Object Editor -- unless they are using Windows Server 2003, which does not allow for individual ciphers to be enabled and disabled.
"Windows servers are not impacted in the default configuration (export ciphers disabled)," the company said.
After claiming the software stacks that rely on Apple TLS/SSL and OpenSSL earlier in the week, companies have been scrambling to release patches for impacted systems.
At the time of writing, the list of affected web browsers on freakattack.com included Internet Explorer, Chrome on Android, the stock Android browser, Safari on Mac OS X and iOS, BlackBerry browser, and Opera on Mac OS X and Linux.
Users can test whether their web browser is affected at the FREAK Client Test Tool.
No comments:
Post a Comment