Microsoft fixes FREAK vulnerability in Patch Tuesday update

Included in the latest Patch Tuesday release is a fix for the FREAK vulnerability that could help attackers intercept secured network communications.

Discovered earlier this month, FREAK (Factoring attack on RSA_EXPORT Keys) provides a way for an attacker to intercept SSL-encrypted traffic (Secure Sockets Layer) as it moves between clients and servers.

The problem stems from export restrictions imposed by the U.S. government in the early 1990’s, which prohibited software makers from shipping products with strong encryption overseas.

The vulnerability that has recently surfaced, allows attackers to downgrade the security of connections from strong encryption to that of the weaker export-grade encryption. Servers or clients that accept the RSA_Export cipher suites are at risk. The RSA_Export keys can be downgraded by preforming a man-in-the-middle-attack that interferes with the set-up process of an encrypted connection. Although there are defenses in the SSL/TLs protocol to prevent such tampering, they can be worked around. The weaker, 512-bit keys can be revealed using today’s powerful computers, and the data traffic can then be decrypted.

Today’s protocols use longer encryption keys, and the standard is 2,048-bt RSA. The 512-bit keys were considered secure two decades ago, but an attacker could recover the key they need quite easily today using a public cloud service.

These vulnerabilities can affect Microsoft Exchange Outlook Web App (OWA), where a user could be fooled into clicking on a maliciously crafted email link that directs them to the OWA site, and then extends the user’s access privileges on that machine to the attacker.

While the FREAK flaw itself resides in SSL, Microsoft has fixed the SSL implementations in its own software through MS15-031.

The critical bulletins for both Explorer (MS15-018) and Office (MS15-022) address flaws that would let an attacker take remote control of a machine.  Although not ranked as critical, MS15-026 should be examined by administrators who oversee Exchange servers to counter the vulnerability to OWA mentioned above.

Use Ctrl+Shift+R to “Reply all” to the selected message.


Will tablet and Smart phone use be a big part of your OWA 2013 deployment?