Don’t FREAK Out: Microsoft Patches Publicized Flaws

As part of its normal monthly Patch Tuesday, Microsoft this week patched the widely publicized FREAK flaw in all supported Windows versions. Overall, the software giant issued 14 separate security bulletins—all but two of which are for Windows—and fixed over 40 vulnerabilities.

When the FREAK—for “Factoring Attack on RSA-EXPORT Keys”—vulnerability was first disclosed a few weeks back, Windows was thought to be immune. But Microsoft quickly revealed that the flaw was indeed present in Windows and pledged to fix it by the next Patch Tuesday. It has now done so.

“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” Microsoft’s security bulletin notes. “This vulnerability could allow a man-in-the-middle (MiTM) attacker to force the key length of an RSA key to be downgraded to EXPORT-grade length in a TLS connection. Any Windows system that uses Schannel to connect to a remote TLS server by using an insecure cipher suite is affected.”

To be clear, that’s every supported Windows version: Windows Vista, 7, 8, RT, 8.1 and RT 8.1, and Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, all product editions.

The other high profile flaw that Microsoft fixed this week is a holdover from the 2010 Stuxnet worm. Apparently, Microsoft’s original patch didn’t fully patch the flaw, which was somewhat unique in this modern era in that it allows hackers to take over PCs even when they’re offline. Alerted by HP that its original patch wasn’t always effective, Microsoft has issued a new patch, which it claims addresses a new issue.

“This is a new vulnerability that required a new security update,” a Microsoft statement notes, contradicting HP’s assertion that the original Microsoft patch had “failed.” “Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals.”

Whatever it is, the new Stuxnet-related patch also applies to all supported Windows versions.

Microsoft also fixed a wide range of other critical security flaws in what is one of the busiest Patch Tuesdays in recent memory. Among them is an Internet Explorer 10 and 11 “Universal XSS” (for “cross site scripting”) flaw that is fixed in a cumulative update.

“This security update resolves vulnerabilities in Internet Explorer,” a Microsoft security bulletin explains. “The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Additionally, Microsoft issued two firmware updates for its Surface tablets, with one each for Surface Pro 3 and Surface RT (original version). It had delivered no Surface firmware updates in February.

You can learn more about the March 2015 Patch Tuesday updates on the Microsoft Security TechCenter.