Microsoft has warned that all current versions of its Windows operating system are vulnerable to the recently discovered FREAK SSL/TLS protocol downgrade bug.
In a security advisory published today, Microsoft revealed that its Secure Channel security package is vulnerable to the FREAK (or factoring attack on RSA export keys) vulnerability.
The bug was initially only thought to affect the Google Android and Apple iOS and OS X operating systems.
Using FREAK, attackers can trick servers to downgrade encryption for SSL/TLS to use keys with just 512 bits in length, making them vulnerable to brute-force guessing attacks.
The 512-bit keys are a remnant of United States export control regulations that required vendors to ship systems with weak cryptography in the 1990s.
Microsoft noted that for the attack to succeed, RSA key exchange export ciphers would have to be enabled.
The company suggested administrators disable RSA key exchange export ciphers using the Group Policy Editor as a workaround to mitigate against the flaw.
