On Thursday, Microsoft issued a security advisory admitting that it is “aware of a security feature bypass vulnerability” which “affects all supported releases of Microsoft Windows,” in addition to any non-Microsoft software running on a part of Windows called Secure Channel.
Specifically, Windows is vulnerable to a security flaw known as FREAK (a not-quite-acronym which stands for “Factoring attack on RSA-EXPORT Keys”). FREAK makes it possible for attackers to spy on supposedly secure communications.
The security researchers who first discovered Windows' vulnerability to FREAK estimate that roughly 9.5% of the web's top 1 million websites are vulnerable to FREAK attacks. So are the websites of the FBI and NSA. A list of popular sites susceptible to FREAK can be found at FreakAttack.com.
Remember that “susceptible to FREAK” is not synonymous with “has been hacked thanks to FREAK.” As of presstime, so far as anyone knows, no hackers have exploited the Windows FREAK vulnerability.
Vulnerability to FREAK is not unique to Windows. Quite the opposite: until now, everyone thought FREAK was “only” a problem for Android, iOS and OS X users, but not Windows OS. With this latest addition of Windows, the list of phones, tablets and other devices whose security is vulnerable to FREAK now includes – well, pretty much all of them.
What makes all communications devices vulnerable to this FREAK-show? Three words: National Security Agency.
As TechNewsWorld put it, Microsoft's FREAK problem shows how the “NSA's flaws come home to roost.” After all, it would be very easy for Microsoft and all other tech companies to make securely encrypted devices which nobody can illicitly spy upon. Problem is, the NSA and other branches of the United States government don't want the tech companies to do this; the government wants companies to provide a “backdoor” through which government agents can enter at will.
Remember: even though phone encryption could end the problem of hackers and other criminals spying on people's secure communications, FBI director James Comey actually suggested last October that maybe Congress should make it illegal for such communications to be encrypted.
And last December, when Verizon introduced its “Voice Cypher” app, it described the app with words like “secure” and “encrypted.” But it's not; Voice Cypher also has a backdoor allowing for government access, which also means a backdoor allowing access to any hacker who knows how to breach it.
Bear in mind: even if these devices were genuinely secure and encrypted, it would still be possible for the police or other government agents to get data off of your devices without your help or consent, if necessary to solve a criminal investigation or something similar. The police would merely have to go to court and present evidence for a search warrant, as demanded by the Constitution.
The security-flaw “backdoors” allow the NSA or others to skip this step, so they can easily, remotely (and warrantlessly) access your encrypted device without your knowing about it.
In other words: don't think of FREAK vulnerability as “a terrible security flaw leaving you hopelessly vulnerable to thieving cybercriminals found anywhere on planet Earth”; think of it as “your tax dollars at work.”