Microsoft now admits that its Windows operating systems are vulnerable to the colossal FREAK encryption bug, potentially putting millions of computer users at risk after initial reports about the flaw fell short of finding the tech giant susceptible.
On the heels of
reports about the bug that surfaced earlier
this week, the Redmond, California based computer company
admitted in a security advisory published on Thursday that
“all supported releases of Microsoft Windows” can be
exploited by the encryption bug.
Earlier reports indicated that Apple’s Safari browser and
smartphones running off Android and Blackberry operating systems,
among other devices, could be compromised through a newly
discovered flaw that lets attackers decrypt supposedly secure
traffic going from phones to websites and vice versa, prompting
responses from Google and other affected parties.
“Researchers discovered in recent weeks that they could force
browsers to use the weaker encryption, then crack it over the
course of just a few hours,” Chris Timberg wrote for the Washington Post on Tuesday this
week. “Once cracked, hackers could steal passwords and other
personal information and potentially launch a broader attack on
the web sites themselves by taking over elements on a page, such
as a Facebook ‘Like’ button.”
But with the latest acknowledgement concerning all versions of
Windows, according to Microsoft, millions more computers across
the world could be exploited by the same technique.
“Microsoft is aware of a security feature bypass
vulnerability in Secure Channel (Schannel) that affects all
supported releases of Microsoft Windows,” the company said on Thursday.
According to the tech giant, investigators determined that an
attacker with the right tools could use the newly disclosed
vulnerability to “force the downgrading of the cipher
suites” used, in theory, to send data securely over the web
through a protocol known as SSL/TLS.
“The vulnerability facilitates exploitation of the publicly
disclosed FREAK technique, which is an industry-wide issue that
is not specific to Windows operating systems,” Microsoft
Chris Duckett, a reporter for tech website ZDnet, acknowledged that Microsoft’s 1,000-person
strong research division was involved in discovering the FREAK
bug with the assistance of European crypto experts, but
“chose not to reveal Windows as vulnerable” until
several days after details about the flaw first became apparent.
“When this security advisory was originally released,
Microsoft had not received any information to indicate that this
issue had been publicly used to attack customers,” Microsoft
said. “We are actively working with partners in our Microsoft
Active Protections Program (MAPP) to provide information that
they can use to provide broader protections to customers.”
Net Applications, a web analytics firm, believes more than
three-quarters of the desktop computers in use around the globe
run Windows operating systems.