Computers which are running any microsoft windows have been found vulnerable to "FREAK," a almost decade-old encryption flaw that make users vulnerable to having their data communications .Those communications can be intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov it can be even secure site like google.
Previously it was said that flaw was limited to Apple's safari and Google's ANDROID browsers. Later on Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw which created a buzz among microsoft users.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said.They further added "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry wide issue that is not specific to Windows operating systems."
According to microsoft it will address the flaw by releasing a patch for it on Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft has suggested users to disable the RSA export ciphers.
The FREAK (Factoring RSA Export Keys) flaw buzzed on internet few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked,if once cracked than it allow hackers to steal data such as passwords, and hijack elements on the page.
Researchers said that they had not found any evidence regarding hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards which were available. The restrictions were lifted in the late 1990s, but the weaker standards became the part of software used widely around the world, including Windows and the web browsers.
"The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor," Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw's origins and effects. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today."
stay tuned for further upadates
No comments:
Post a Comment