Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk.
The news was a turnabout from earlier in the week, when researchers initially fingered only Apple's iOS and OS X and Google's Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers.
By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month.
In a security advisory released Thursday, Microsoft said Windows was, in fact, vulnerable to FREAK (Factoring attack on RSA-EXPORT Keys).
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft said in the advisory. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."
Schannel is a set of Windows protocols that, among other things, accesses the OS's cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security).
FREAK, on the other hand, is the label for the flaw that researchers from INRIA, a French research institute, and Microsoft disclosed Tuesday. The bug could allow attackers to silently force a browser-server connection to fall back to long-discarded encryption standards, those guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services like Amazon's EC2.
The most likely assault would be through a classic "man-in-the-middle" (MITM) attack, where criminals interpose themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.
Microsoft listed every still-supported version of Windows as affected by the bug. Although the advisory did not promise a patch, Microsoft almost certainly will. The next regularly scheduled Patch Tuesday is next week, March 10.
In their default configurations, however, Windows-powered servers — except for Windows Server 2003, the edition slated for retirement in July — do not support the export-grade ciphers that are at the root of FREAK.
Because Windows harbors the bug, Microsoft's IE browser is also vulnerable to a FREAK attack. (IE relies on Windows' cryptography to implement SSL and TLS.)
Earlier this week, the FREAKattack.com browser test — maintained by a group of computer scientists at the University of Michigan — reported that IE was safe. That was premature. "An earlier version of our test gave incorrect results for IE; IE is indeed vulnerable," the group said on a revised FreakATTACK.com.
Sign up for CIO Asia eNewsletters.