Just when you thought that the FREAK security vulnerability only affected iPhone, iPad and Android users, Microsoft has announced that no, the snooping attack bug does affect all Windows users too.
Microsoft disclosed on Monday 5 March that all supported versions of Windows are vulnerable to FREAK, a bug that has made it possible for HTTPS encrypted communication between websites and end-users to be decrypted by hackers for over a decade.
In the early 1990s, the US government decided that it wanted to weaken the encryption standards on products being shipped overseas by US companies, requiring products to be downgraded to "export-grade" encryption – a 512-bit encryption key – that only a supercomputer could crack.
But that was then, and today it would be much easier to crack the encryption.
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft wrote in an advisory.
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
"When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
Microsoft has issued the details of sever workarounds that can replace the weaker 512-bit encryption key that many websites and mobile devices are vulnerable to, through its Microsoft Active Protections Program.
However, according to cloud security firm Skyhigh Networks, there are at least 766 cloud services which still haven't patched the FREAK bug since the advisory was released, and since on average, most companies use 122 potentially vulnerable cloud services, this puts businesses at risk.
Add to that, mobile device users are still vulnerable to FREAK snooping attacks as the patches for mobile web browsers are not yet ready.
Apple announced on Tuesday 3 March that patches for OS X and iOS will be released next week. As for Google, its developers have yet to announce when a patch will be available for Chrome for Android, although Google did release an updated version of Chrome for Mac on Thursday 5 March.
Security researchers have scanned over 14 million HTTPS-protected websites in recent weeks and found that 36% of these websites support the weaker 512-bit cypher, including many popular websites like Bloomberg.com, AmericanExpress.com and Groupon.com.
However, many other large sites like Google and Facebook are not vulnerable, which could lure people into a false sense of security, when the real issue is: if this vulnerability has been around for over 10 years, then some hackers in the world might have already exploited it multiple times in the past.