Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Time for all Windows users to FREAK out over encryption bug

Gregg Keizer | March 9, 2015
Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk.

Computerworld confirmed that IE11, which reported itself safe on Wednesday at the test site, now reports that it is vulnerable. Earlier versions of the browser are also at risk.

One interesting point that Microsoft did not mention is that the aged Windows XP is also probably vulnerable. Because Windows Server 2003 is vulnerable, Windows XP is almost guaranteed to be as well: The former is based on XP.

But Microsoft retired the aged Windows XP from support in April 2014, and so will not offer a patch to the general public. Enterprises that have paid for port-retirement Custom Support, however, will most likely receive a fix.

XP's vulnerability, and its unpatched status, going forward are not trivial matters: According to Web analytics vendor Net Applications, 21% of all Windows PCs relied on the 13-year-old operating system last month, second only to Windows 7.

Nor will businesses running Windows XP be able to protect those machines using Microsoft's recommended temporary defense of disabling weaker ciphers with Group Policy, instructions for which were outlined in the advisory. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft acknowledged.

Like Server 2003, Windows XP also lacks the capability of disabling individual ciphers. That feature was introduced in 2007's Windows Vista.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.