With millions of users still relying on Windows XP a new potential security threat loom ahead, as researchers at INRIA, in France have uncovered a FREAK encryption bug in the XP Operating System from Microsoft. According to computerworld, the problem is so severe that Microsoft is scrambling to fix, or are they ?
The news was a turnabout from earlier in the week, when researchers initially fingered only Apple’s iOS and OS X and Google’s Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers.
By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Microsoft said in the advisory. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.”
Schannel is a set of Windows protocols that, among other things, accesses the OS’s cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security).
Because Windows harbors the bug, Microsoft’s IE browser is also vulnerable to a FREAK attack. (IE relies on Windows’ cryptography to implement SSL and TLS.)