FREAK: All Windows versions are affected too

UPDATE on the FREAK vulnerability in SSL: it affects not only Android and iOS but all Windows versions too.


wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan.

Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted.

The two most used operating systems for smartphones, tablets, laptops and embedded devices  are in good company. Yesterday, Microsoft made known that all its supported Windows versions are also affected due to the presence of the vulnerability in the Windows Secure Channel (SChannel) – the Microsoft own implementation of SSL/TLS:

  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows 8 and 8.1
  • Windows Server 2012
  • Windows RT

Microsoft published an TechCenter an advisory where the problem is analyzed and solutions are offered. Also a patch is promised to fix all supported operating systems.

What does it mean for the user?

It means that if you are in Windows and make use of the vulnerable SSL libraries delivered by default, your connection to the affected servers can be intercepted. If you use Internet Explorer to visit you will be surprised to see this:

What should the users do?

We do not recommend messing up with the standard cryptography settings of Windows (or any operating systems) unless you know what you are doing (and there is a just hand full of people that actually do). You should try a browser that is not affected (like Chrome, which was updated in the meanwhile) and apply the patches for operating system and browsers that will come in the next few days.

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: