Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered "Freak" encryption security flaw, which was initially believed to only threaten mobile devices and Mac computers, Microsoft warned. A group of nine security experts on Tuesday disclosed that ubiquitous Internet encryption technology could make devices running Apples iOS and Mac operating systems, along with Google's Android browser, vulnerable to cyberattacks. Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the Freak vulnerability. The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption. If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said.
Security experts said the vulnerability was relatively difficult to exploit because hackers would need to find a vulnerable web server, break the key, find a vulnerable PC or mobile device, then gain access to that device.
Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it had not yet developed a security update that would automatically protect Windows PC users from the threat. Apple and Google both said Wednesday they had developed software updates to address the vulnerability. "Freak" stands for Factoring RSA-EXPORT Keys.