Microsoft Issues New FREAK Fix, Updates Stuxnet Patch

Written by DH Kass 1
March 13, 2015

Microsoft followed up its March 5 security advisory on the exposure of Windows 7 machines running IE 11 to a FREAK bug attack, issuing a fix for the vulnerability on Patch Tuesday among a collection of 14 bulletins.

Microsoft (MSFT) followed up its March 5 security advisory on the exposure of Windows 7 machines running IE 11 to a FREAK bug attack, issuing a fix for the vulnerability on Patch Tuesday among a collection of 14 bulletins.

The MS15-031 bulletin addressing the FREAK vulnerabilities patches the Schannel security feature bypass vulnerability–the Windows version of SSL/TLS. In a FREAK attack an unsuspecting user operating a compromised machine visits a vulnerable, but supposedly HTTPS-secure website, whose security an attacker has downgraded to a weaker 512-bit cipher.

“This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems,” Microsoft said.

“The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection,” the vendor’s bulletin said. “Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected…The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems.”

In addition, the vendor issued an updated Stuxnet patch after it was revealed that the original fix from August, 2010 left open some issues.

Microsoft security bulletin MS15-020 covers how Windows handles loading of DLL files and also how Windows Text Services handles objects in memory.

“The vulnerabilities could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted DLL file,” Microsoft said.

“The security update addresses the vulnerabilities by correcting how Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files,” the vendor said.

As Threatpost reported, HP’s Zero Day Initiative worked with Microsoft on the incomplete Stuxnet patch to provide the vendor with details and a proof of concept exploit used to build a new fix.