Microsoft released a Windows update Tuesday to address the “FREAK” security vulnerability, a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted.
The update — among 14 bulletins issued as part of Microsoft’s regularly scheduled Patch Tuesday – also included an updated patch for Stuxnet, a sophisticated computer virus Microsoft said it addressed five years ago. The FREAK bulletin — rated “important,” Microsoft’s second highest ranking security ranking — came less than a week after Microsoft acknowledged that the encryption protocols used in all supported version of Windows were also vulnerable to the flaw.
In its security bulletin announcing the fix, released as part of Microsoft’s regularly scheduled Patch Tuesday, Microsoft noted that Apple’s Safari and Google’s Android browsers were also identified as being susceptible to the flaw.
“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” Redmond said in the bulletin. “The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems.”
The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site’s encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.
Read the Full Article: Source – c|net