Security

Don't FREAK Out: Microsoft Patches Publicized Flaws

As part of its normal monthly Patch Tuesday, Microsoft this week patched the widely publicized FREAK flaw in all supported Windows versions. Overall, the software giant issued 14 separate security bulletins—all but two of which are for Windows—and fixed over 40 vulnerabilities.

When the FREAK—for “Factoring Attack on RSA-EXPORT Keys”—vulnerability was first disclosed a few weeks back, Windows was thought to be immune. But Microsoft quickly revealed that the flaw was indeed present in Windows and pledged to fix it by the next Patch Tuesday. It has now done so.

“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” Microsoft’s security bulletin notes. “This vulnerability could allow a man-in-the-middle (MiTM) attacker to force the key length of an RSA key to be downgraded to EXPORT-grade length in a TLS connection. Any Windows system that uses Schannel to connect to a remote TLS server by using an insecure cipher suite is affected.”

To be clear, that’s every supported Windows version: Windows Vista, 7, 8, RT, 8.1 and RT 8.1, and Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, all product editions.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

The other high profile flaw that Microsoft fixed this week is a holdover from the 2010 Stuxnet worm. Apparently, Microsoft’s original patch didn’t fully patch the flaw, which was somewhat unique in this modern era in that it allows hackers to take over PCs even when they’re offline. Alerted by HP that its original patch wasn’t always effective, Microsoft has issued a new patch, which it claims addresses a new issue.

“This is a new vulnerability that required a new security update,” a Microsoft statement notes, contradicting HP’s assertion that the original Microsoft patch had “failed.” “Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals.”

Whatever it is, the new Stuxnet-related patch also applies to all supported Windows versions.

Microsoft also fixed a wide range of other critical security flaws in what is one of the busiest Patch Tuesdays in recent memory. Among them is an Internet Explorer 10 and 11 “Universal XSS” (for “cross site scripting”) flaw that is fixed in a cumulative update.

“This security update resolves vulnerabilities in Internet Explorer,” a Microsoft security bulletin explains. “The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Additionally, Microsoft issued two firmware updates for its Surface tablets, with one each for Surface Pro 3 and Surface RT (original version). It had delivered no Surface firmware updates in February.

You can learn more about the March 2015 Patch Tuesday updates on the Microsoft Security TechCenter.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at Thurrott.com, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: