The encryption flaw was previously thought to only affect Google and Apple products
A few days back, Apple and Google products were found to be affected by a longstanding vulnerability, which stems from a now-defunct U.S. government regulation enjoining tech companies to use encryption no stronger than 512 bits in "export-grade" software — so that it could maintain a cryptographic edge over its adversaries. Well, how could Microsoft be left behind? The Redmond-based company issued a security advisory Thursday to warn that all supported versions of Microsoft Windows are also affected by FREAK (Factoring attack on RSA-EXPORT Keys), as the SSL/TLS flaw is called.
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," reads the advisory. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
The company says it's currently working on a fix, which could come either as part of a future Patch Tuesday bundle or in the form of an out-of-band security update. In the meantime, the company recommends that those running Windows Vista or later "disable RSA key exchange ciphers using the Group Policy Object Editor" in order to mitigate the threat. The entire procedure can be found here.
A list of vulnerable browsers and popular domains is available at FREAKattack.com. The affected browsers are Internet Explorer, Chrome for Mac (patch available), Chrome for Android, Safari for Mac (patch likely in a week), Safari for iOS (patch likely in a week), stock Android browser, Blackberry browser, Opera for Mac and Opera for Linux. Maintained by computer scientists at the University of Michigan, the site also lets users check if their browser is vulnerable.
"The FREAK attack," the site warns, "is possible when a vulnerable browser connects to a susceptible web server—a server that accepts 'export-grade" encryption.'" According to the researchers, an attacker could use the vulnerability to "intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data."
Be that as is it may, company is not entirely blameless.
On Thursday, a uTorrent user going by the handle "Groundrunner" took to the popular torrent client's official forum to report something fishy. Updating to the latest version of the client (3.4.2 build 38913), he complained, "silently installed a piece of software called EpicScale" (a cryptocurrency miner) on his machine. He also linked to a web page littered with similar complaints — some dating back to early Feb — from angry uTorrent users. As was to be expected so close on the heels of Lenovo's Superfish fiasco, it didn't take long for a furor to erupt around these sensational claims.
BitTorrent Inc., the company behind uTorrent, was quick to dismiss the whole thing, blaming it on user ignorance. This is what the company had to say in a statement it sent to PCWorld: "We have reviewed the issue closely and can confirm there is no silent install happening. It is in fact impossible for partner software to be installed without user permission. We are continuing to look at the issue. But it is almost certain these users accepted the offer during install. In terms of user complaints in our forums, we always take these claims seriously. We highly value our users, they are a passionate and tech savvy group. In the last 24 hours we have received less than a dozen inquiries out of several million offers. That should put things into perspective."
That does not mean that the company is entirely blameless, though. The reason why so many people have no recollection of having green-lighted EpicScale's installation is because the said offer is presented in a way that closely mimics a ToS/EULA dialog box. There's a lesson for all of us in this: read before you press that Next button.
As for EpicScale, it is more than a cryptocurrency miner. Its official website claims that the program springs into action when a PC is idle to harness its unused processing power to solve "math problems for weather prediction, physics simulations, cryptography (including cryptocurrency mining) and more." Apparently, around 75 percent of the proceeds from this activity go to various charities.
Valve's tools are there to "keep PC gaming moving forward"
Valve certainly turned heads with its SteamVR experience and other announcements about Source 2 and Steam Machines during GDC 2015. But the announcements didn't stop there. The company also held a presentation that Maximum PC Online Managing Editor Jimmy Thang was able to record, where Valve boss Gabe Newell talked about Steam Machines, Steam Link, Source 2, Steam Controller, Vulcan, and the growth of PCs.
While Valve didn't allow any questions to be asked during the presentation, Newell talked a fair amount regarding the growth of the PC industry saying that Steam has seen an increase of 50 percent year-over-year. A claim that is substantiated by the company's announcement last month that the digital distribution platform currently boasts 125 million accounts. He went on to briefly talk about how the industry has continued to grow when it comes to hardware, that there has been a 20 percent decline in bandwidth cost, advancements when it comes to monitors, and the rise of generated user content. All of which has contributed to the PC industry's growth.
Newell also talked about Valve's Source 2 engine and how it will be free for everyone to use. One of Valve's focuses on its newest engine, he elaborated, is productivity for both developers and gamers. Vulcan, which is the next-generation of OpenGL, was also talked about and how it is a cross-platform API that will be supported by companies such as Valve, Blizzard, and Epic Games.
There was also a demonstration of Valve's new Steam Link hardware that will let users play games in 1080p and 60Hz, in conjunction with a Steam Machine, PC, or Mac on any televisions. The Talos Principle, a pre-alpha version of Unreal Tournament, and even System Shock 2 to demonstrate the Steam Link and Steam Controller.
If you want to hear what Gabe Newell has to say, be sure to watch the video.
So what are your overall impressions of Valve and its various announcements at GDC? Let us know in the comment section below!
The encryption flaw was previously thought to only affect Google and Apple products
Valve's tools are there to "keep PC gaming moving forward"
