Microsoft Patch Tuesday Resolves FREAK Flaw

Tom Jowitt,
cyber security

No more FREAKY business. Microsoft rushes out fix for legacy encryption flaw in Patch Tuesday update

Microsoft has resolved a legacy vulnerability with its latest Patch Tuesday security update.

It emerged last week that all supported releases of Windows was affected by the FREAK security flaw. It had been initially thought that the flaw only affected iOS and Android mobile devices.

Patch Tuesday

microsoft-patch-lEssentially, the SSL vulnerability allows an attacker to conduct a Man-in-the-Middle (MITM) attack. A PC or Mac uses the export grade cipher (512 bit RSA), which is breakable relatively quickly (typically in 24 hours). Once the attacker has the key they can eavesdrop on your communication and even modify it and redirect the user to impostor sites.

The vulnerability is a relic of the 1990s, when US laws forbade the export of strong encryption. As a result, systems included a weaker RSA export cipher, and it is still present in many systems, although the export ban was lifted in 1999.

But Microsoft has resolved this FREAK flaw in the latest Patch Tuesday update which contains 14 patches, five of which are rated critical.

“The highest priority goes to MS15-018, the bulletin for Internet Explorer,” blogged Qualys CTO Wolfgang Kandek. “All versions of IE are affected from IE6 (on Windows Server 2003) to IE11. The new version addresses 12 vulnerabilities, 10 of which are critical and could be used to execute code on the target machine.”

“MS15-022 is our next bulletin in terms of severity,” said Kandek. “It addresses five vulnerabilities in Microsoft Office, one of them critical in the RTF parser. MS15-021 addresses eight font based vulnerabilities in Windows.”

A full listing of all the bulletins and their descriptions can be found here.

Sneaky Adware

It has been another bad month security wise. Last month, it was revealed that Lenovo had pre-installed Superfish, an advertising program on some Lenovo laptops.

The Chinese PC maker Lenovo had begun to bundle Superfish ad software with some of its laptops in September of last year, using it to alter users’ search results. It said it removed the software from its products in January due to user complaints over the intrusiveness of the tool.

The US Government warned the general public to remove Superfish because it said it introduces a security vulnerability.

Meanwhile the Lizard Squad hacked the corporate Lenovo website in apparent retaliation.

Are you a security pro? Try our quiz!