The number of users at risk from the recently discovered Factoring attack on RSA-Export Keys (FREAK) flaw has increased substantially with Microsoft’s confirmation Thursday that all supported releases of Windows are vulnerable to attacks that exploit the issue.
However, security researchers remain optimistic that the actual chances of the flaw being exploited widely remain relatively low, simply because of the effort required to pull off the attack.
In a security alert, Microsoft said it was aware of a “security feature bypass” vulnerability in the Secure Channel security package that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in Windows.
The vulnerability could allow an attacker to force the downgrade of encryption protocols used in an SSL/TSL connection between a Windows client system and a server, Microsoft said.
“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems,” the company noted.
Microsoft will provide a fix through its monthly release process or provide an out-of-cycle security update, the company said.
Enterprises should pay attention to the news, because a vast majority of them run Windows systems, says Sekhar Sarukkai, co-founder and vice president of engineering at Skyhigh Networks. “It is important because it can have an impact on the insider threat issue,” Sarukkai said.
A Windows user with malicious intent can potentially take advantage of the flaw to force a downgrade of the encryption protocols and gain illegal access to systems and data, he said.
Sarukkai said that Skyhigh has discovered that at least 695 cloud service providers are also vulnerable to the issue, including leading backup, HR, security, CRM and ERP service providers.
Simon Crosby, CTO of Bromium, said news about Microsoft Windows also being vulnerable means FREAK is more serious than initially thought. “More broadly, the bug brings up some pretty serious questions about how the security protocols of yesteryear may affect us today and in the future,” he said in an emailed statement. “The older your infrastructure, the more likely latent vulnerabilities will surface, as they have in this case.” The message for CIOs is to upgrade and patch where they can, he said.
When Microsoft and researchers at INRIA and IMDEA first reported the FREAK vulnerability earlier this week, they described the flaw as only affecting Apple’s Safari TSL/SSL clients and Google’s Android Open SSL clients.
The vulnerability basically gives attackers a way to weaken and break the encryption that is used to protect communications between a client browser and a web server. It takes advantage of the fact that millions of websites that issue browser-trusted SSL certs based on current crypto standards also support an archaic 512-bit version of SSL/TSL that many assumed had become extinct years ago.
The support is a hangover from the 1990s when a U.S. government ban on the export of strong encryption tools resulted in technology firms shipping 512-bit encryption products overseas instead.
As cryptographer Matthew Green explains, this resulted in U.S. servers needing to support both weak and strong encryption protocols. To cope with this, SSL designers developed a sort of negotiating mechanism to identify the best protocol to use for clients supporting strong encryption and for those with the weaker 512-bit crypto.
Over the years the ban on encryption was lifted but millions of servers around the world still support both strong and weak crypto contrary to what security researchers had assumed.
Modern TLS clients from Apple, Google, and, with Wednesday’s announcement, Microsoft, have a bug that allows attackers to take advantage of this fact, and essentially trick a web server into using the weaker 512-bit encryption during a session.
According to the security researchers who discovered the flaw, an attacker would need just over seven hours to crack the session key and essentially intercept traffic in clear text as it flows between the browser and server and steal data or launch attacks against the web server.
Nearly one-quarter of all SSL-encrypted websites are believed vulnerable to the flaw.
Pulling off an attack though is not easy, because it would require an attacker to first identify a vulnerable client and web server and then launch a man-in-the-middle attack to intercept and manipulate the session between the browser and server.
“This is still a highly targeted attack however, since the attacker must target specific sites with support for export encryption and then spend the effort to crack their 512-bit RSA ephemeral key,” says Craig Young, senior security researcher at Tripwire. The attack is only possible if server administrators do not have the weaker "export" ciphers enabled, he said in emailed comments.
“Windows users should not be particularly concerned about this attack, but it would be wise to disable the RSA key exchange ciphers as Microsoft recommends particularly on systems which are used on public wireless networks.”