X

Microsoft Windows update addresses FREAK flaw, Stuxnet worm

The fix comes less than a week after Redmond acknowledged vulnerability to decade-old encryption flaw.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read

Microsoft's update also addresses Stuxnet, a worm patched five years ago.

Microsoft released a Windows update Tuesday to address the "FREAK" security vulnerability, a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted.

The update -- among 14 bulletins issued as part of Microsoft's regularly scheduled Patch Tuesday - also included an updated patch for Stuxnet, a sophisticated computer virus Microsoft said it addressed five years ago. The FREAK bulletin -- rated "important," Microsoft's second highest ranking security ranking -- came less than a week after Microsoft acknowledged that the encryption protocols used in all supported version of Windows were also vulnerable to the flaw.

In its security bulletin announcing the fix, released as part of Microsoft's regularly scheduled Patch Tuesday, Microsoft noted that Apple's Safari and Google's Android browsers were also identified as being susceptible to the flaw.

"This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems," Redmond said in the bulletin. "The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems."

The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.

Microsoft's FREAK patch comes a day after Apple released iOS 8.2, which includes a fix designed to resolve the issue on Apple's mobile devices. Google has also developed a fix it is providing to device makers and wireless carriers.

Microsoft's update also revisited Stuxnet, a highly destructive worm thought to have been developed jointly in secret by US and Israel to infect a nuclear enrichment facility in Iran in 2010. Rather than steal data, Stuxnet left a back door meant to be accessed remotely to allow outsiders to stealthily knock the facility offline and at least temporarily cripple Iran's nuclear program. While Microsoft issued a patch in 2010 to close a hole being used by the Stuxnet to infect PCs, Tuesday's update addressed a pair of remote code execution vulnerabilities.