After the threat of the FREAK bug recently came to light, it was thought that only Apple and Android devices were under threat. Now, it looks like we can add Windows to that list. Considering the integration of all devices through a singular OS starting with Windows 10, it could prove an even bigger problem for them than the others.
The FREAK bug has been around for awhile, but it wasn’t found until now.It was created through a ridiculous, but thankfully now ended, rule that required companies to send weaker encryption and software overseas, for the sake of national security. This rules has not been used for a decade, allegedly.
Now, the bug allows hackers to decrypt HTTPS protected traffic.
It works when an end user that has been made vulnerable to the bug connects to a website that is also vulnerable due to weakened and outdated security. They then place malicious packets into the traffic, and create a cloned backend version of the HTTPS site. From there they can connect to a cloud service and begin intercepting data transmitted between the two, or change some of that information.
While there is no solid proof it has been exploited, it is hard to imagine that at least some hackers have not managed to figure out the vulnerability. At the very least, they know about it now, and as companies scramble to close the gap in security, it is possible to exploit it now before the problem is fixed.
Not only can individual hackers or groups trying to extort money use this bug, but so can state agencies and spying countries. So you have to imagine it likely that the NSA at the very least has been using it to their advantage. They are, after all, the ones who ordered the rule that caused the issue in the first place.
After first believing that it was a vulnerability exclusive to Apple and Android, it has been revealed that all versions of Windows are also under threat. So the number of vulnerable users has shot up in the last few hours.
This should be the expected outcome for a lot of programs, which at first thought they were safe but have since been listed as vulnerable. For example, Internet Explorer has now announced that they fall under the category of threatened, after initially stating that there was nothing to worry about. Luckily, no one uses IE.
Source: Ars Technica