Cryptography, General

New SSL/TLS Attack – FREAK

A new SSL/TLS vulnerabilty was recently discovered dubbed “FREAK“. Originally it was thought that only OpenSSL was vulnerable, however, Microsoft just issued an advisory (3046015) describing the affected versions of Windows. The default configuration of Windows 2003 is vulnerable, however, Windows 2008 and above are not affected in the default configuration. The Best Practices template in IIS Crypto solves this by removing the affected cipher suites.

One thought on “New SSL/TLS Attack – FREAK

  1. This is a very helpful tool.
    When I tried to use it in one of my 2008 R2 servers, it crashes with the below details:

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: iiscrypto.exe
    Problem Signature 02: 2.0.11.0
    Problem Signature 03: 578a62a2
    Problem Signature 04: mscorlib
    Problem Signature 05: 4.0.0.0
    Problem Signature 06: 4ba1da6f
    Problem Signature 07: 3dab
    Problem Signature 08: 105
    Problem Signature 09: System.IO.DirectoryNotFound
    OS Version: 6.1.7601.2.1.0.274.10
    Locale ID: 1033
    Additional Information 1: 0a9e
    Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
    Additional Information 3: 0a9e
    Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    C:\Windows\system32\en-US\erofflps.txt

    Like

Comments are closed.