Aged but still widely used Windows XP almost certainly vulnerable, too, but don’t expect a patch from Microsoft Credit: Thinkstock Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk. The news was a turnabout from earlier in the week, when researchers initially fingered only Apple’s iOS and OS X and Google’s Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers. By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month. In a security advisory released Thursday, Microsoft said Windows was, in fact, vulnerable to FREAK (Factoring attack on RSA-EXPORT Keys). “Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Microsoft said in the advisory. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.” Schannel is a set of Windows protocols that, among other things, accesses the OS’s cryptographic features to encrypt traffic between browsers and website servers using SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security). FREAK, on the other hand, is the label for the flaw that researchers from INRIA, a French research institute, and Microsoft disclosed Tuesday. The bug could allow attackers to silently force a browser-server connection to fall back to long-discarded encryption standards, those guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services like Amazon’s EC2. The most likely assault would be through a classic “man-in-the-middle” (MITM) attack, where criminals interpose themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports. Microsoft listed every still-supported version of Windows as affected by the bug. Although the advisory did not promise a patch, Microsoft almost certainly will. The next regularly scheduled Patch Tuesday is next week, March 10. In their default configurations, however, Windows-powered servers — except for Windows Server 2003, the edition slated for retirement in July — do not support the export-grade ciphers that are at the root of FREAK. Because Windows harbors the bug, Microsoft’s IE browser is also vulnerable to a FREAK attack. (IE relies on Windows’ cryptography to implement SSL and TLS.) Earlier this week, the FREAKattack.com browser test — maintained by a group of computer scientists at the University of Michigan — reported that IE was safe. That was premature. “An earlier version of our test gave incorrect results for IE; IE is indeed vulnerable,” the group said on a revised FreakATTACK.com. Computerworld confirmed that IE11, which reported itself safe on Wednesday at the test site, now reports that it is vulnerable. Earlier versions of the browser are also at risk. One interesting point that Microsoft did not mention is that the aged Windows XP is also probably vulnerable. Because Windows Server 2003 is vulnerable, Windows XP is almost guaranteed to be as well: The former is based on XP. But Microsoft retired the aged Windows XP from support in April 2014, and so will not offer a patch to the general public. Enterprises that have paid for port-retirement Custom Support, however, will most likely receive a fix. XP’s vulnerability, and its unpatched status, going forward are not trivial matters: According to Web analytics vendor Net Applications, 21% of all Windows PCs relied on the 13-year-old operating system last month, second only to Windows 7. Nor will businesses running Windows XP be able to protect those machines using Microsoft’s recommended temporary defense of disabling weaker ciphers with Group Policy, instructions for which were outlined in the advisory. “The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers,” Microsoft acknowledged. Like Server 2003, Windows XP also lacks the capability of disabling individual ciphers. That feature was introduced in 2007’s Windows Vista. Related content news Meta opens its mixed-reality Horizon OS to other headset makers Lenovo and Asus are among the companies building headsets that run Horizon software. The move expands Meta’s reach in the AR/VR market, while enabling headset vendors to focus on hardware development rather than software. By Matthew Finnegan Apr 24, 2024 6 mins Augmented Reality Google Virtual Reality tip A crafty new Android notification power-up This simple enhancement will make your Android notifications more useful and less annoying — with about 60 seconds of one-time setup. By JR Raphael Apr 24, 2024 7 mins Google Mobile Apps Android opinion Microsoft uses its genAI leverage against China — prelude to a tech Cold War? A century or more ago, nations often used ‘gunboat diplomacy’ to push smaller countries around; in the 21st century, technology can be used the same way. By Preston Gralla Apr 24, 2024 6 mins Regulation Government Technology Industry how-to How to fix iCloud sync in seconds Here's what to do when your contacts or calendar events don't sync between devices. By Jonny Evans Apr 23, 2024 7 mins iCloud Apple Cloud Storage Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe