Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Security

Don't FREAK Out: Microsoft Patches Publicized Flaws

As part of its normal monthly Patch Tuesday, Microsoft this week patched the widely publicized FREAK flaw in all supported Windows versions. Overall, the software giant issued 14 separate security bulletins—all but two of which are for Windows—and fixed over 40 vulnerabilities.

When the FREAK—for “Factoring Attack on RSA-EXPORT Keys”—vulnerability was first disclosed a few weeks back, Windows was thought to be immune. But Microsoft quickly revealed that the flaw was indeed present in Windows and pledged to fix it by the next Patch Tuesday. It has now done so.

“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” Microsoft’s security bulletin notes. “This vulnerability could allow a man-in-the-middle (MiTM) attacker to force the key length of an RSA key to be downgraded to EXPORT-grade length in a TLS connection. Any Windows system that uses Schannel to connect to a remote TLS server by using an insecure cipher suite is affected.”

To be clear, that’s every supported Windows version: Windows Vista, 7, 8, RT, 8.1 and RT 8.1, and Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, all product editions.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

The other high profile flaw that Microsoft fixed this week is a holdover from the 2010 Stuxnet worm. Apparently, Microsoft’s original patch didn’t fully patch the flaw, which was somewhat unique in this modern era in that it allows hackers to take over PCs even when they’re offline. Alerted by HP that its original patch wasn’t always effective, Microsoft has issued a new patch, which it claims addresses a new issue.

“This is a new vulnerability that required a new security update,” a Microsoft statement notes, contradicting HP’s assertion that the original Microsoft patch had “failed.” “Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals.”

Whatever it is, the new Stuxnet-related patch also applies to all supported Windows versions.

Microsoft also fixed a wide range of other critical security flaws in what is one of the busiest Patch Tuesdays in recent memory. Among them is an Internet Explorer 10 and 11 “Universal XSS” (for “cross site scripting”) flaw that is fixed in a cumulative update.

“This security update resolves vulnerabilities in Internet Explorer,” a Microsoft security bulletin explains. “The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Additionally, Microsoft issued two firmware updates for its Surface tablets, with one each for Surface Pro 3 and Surface RT (original version). It had delivered no Surface firmware updates in February.

You can learn more about the March 2015 Patch Tuesday updates on the Microsoft Security TechCenter.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at Thurrott.com, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By