#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 20°C Wednesday 6 July 2022

Every version of Windows is at risk from this 1990s bug

A patch is on the way.

Image: mouse via Shutterstock

WINDOWS USERS ARE susceptible to a serious vulnerability affecting millions of Android and iPhone users.

It’s called “FREAK”, and puts users at risk of their confidential details stolen by hackers.

It is a remnant of the debates over cryptography in the nineties. The US government at one point placed limits on the strength of encryption in software that could be exported from from America.

This meant authorities could, if need be, intercept communications of products that has this weaker encryption strength. These limits were later relaxed and encryption became considerably stronger. But the early restrictions had a nasty effect.

“The weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year,” the Washington Post explains.

This means that many websites and browsers are still programmed to provide weak keys for security when requested, even though they can now be cracked in a matter of hours.

“Man in the middle”

As a result, a hacker could go to an affected website, obtain its weak key, crack it, then be able to impersonate that website and intercept traffic to the site on the same network as them. It’s what’s often called a “man in the middle” attack. On your home WiFi you’re probably safe, but you could be targeted whenever you log on to a public network, like a a coffee shop, or a hotel, or an airport.

Ars Technica reports that people hadn’t previously thought Windows users were affected — but that’s not the case. Microsoft has since confirmed that its users are vulnerable, writing that it ”is aware of a security feature bypass vulnerability…. that affects all supported releases of Microsoft Windows”. Like Google and Apple, the company is now working on a fix.

The list of websites affected by FREAK is extensive. Banks like American Express and Santander are vulnerable, along with other major websites like Groupon and shopping site J-Crew. At one point, the websites of the White House, the NSA, and the FBI were all affected, according to the Washington Post, although they’ve since implemented fixes. According to one site dedicated to tracking FREAK, 9.5% of the Alexa Top 1 Million websites are affected (down from 12.2% as people begin to patch the issue).

#Open journalism No news is bad news Support The Journal

Your contributions will help us continue to deliver the stories that are important to you

Support us now

What this means in real terms is that when you’re shopping online, or checking your bank statement, or logging onto one of your favourite sites, hackers may be harvesting your sensitive personal information.

There’s no confirmed uses of FREAK to harvest confidential data — but the vulnerability has existed for decades, so it’s not unthinkable to suggest it may have been used.

- Rob Price

Read: Google, Microsoft and co join forces to prevent the next Heartbleed from happening >

Published with permission from:

Business Insider
Business Insider is a business site with strong financial, media and tech focus.

Read next: