TORONTO – Millions of Windows PCs are vulnerable to a decades-old security flaw called “FREAK” that leaves users susceptible to hackers when visiting supposedly secure websites, according to Microsoft.
The security vulnerability allows hackers to spy on users by breaking the secure connection between their device’s web browser and websites.
Last week it was reported the flaw affected Android and Apple users through Apple’s Safari browser (on both mobile devices and Mac computers) and Android’s default browser. Microsoft’s systems were not believed to be affected.
However, Microsoft later released a security advisory on its website warning users that their PCs were also vulnerablec to the “FREAK” flaw.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,’” reads the security advisory.
“When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”
FREAK was the result of a former U.S. government policy that required U.S. software-makers to use weaker security in encryption programs sold overseas. Although the policy was changed in the 1990s, weaker encryption was still used in widely used software.
A team of security researchers recently discovered that many websites can still be tricked into accepting the weaker software, allowing hackers to break encryption that’s supposed to prevent digital eavesdropping.
Currently, there’s no evidence any hackers have exploited the weakness, which companies are working to repair. However, if a hacker were to have exploited the flaw, they would have been able to see users’ sensitive information including passwords and credit card information.
Microsoft has not yet developed a security patch for its devices; however, it is working on a solution.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” read the security advisory.
In the meantime, Windows users can use web browsers not affected by the FREAK flaw for added security, including Google Chrome and Mozilla Firefox.