A new SSL/TLS vulnerabilty was recently discovered dubbed “FREAK“. Originally it was thought that only OpenSSL was vulnerable, however, Microsoft just issued an advisory (3046015) describing the affected versions of Windows. The default configuration of Windows 2003 is vulnerable, however, Windows 2008 and above are not affected in the default configuration. The Best Practices template in IIS Crypto solves this by removing the affected cipher suites.
One thought on “New SSL/TLS Attack – FREAK”
Comments are closed.
This is a very helpful tool.
When I tried to use it in one of my 2008 R2 servers, it crashes with the below details:
Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: iiscrypto.exe
Problem Signature 02: 2.0.11.0
Problem Signature 03: 578a62a2
Problem Signature 04: mscorlib
Problem Signature 05: 4.0.0.0
Problem Signature 06: 4ba1da6f
Problem Signature 07: 3dab
Problem Signature 08: 105
Problem Signature 09: System.IO.DirectoryNotFound
OS Version: 6.1.7601.2.1.0.274.10
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
LikeLike