Future Tense

Why Did It Take Microsoft So Long to Acknowledge a Huge Security Hole That It Found?

Maybe Microsoft thinks it’s too normal for FREAKs.

Photo by Josh Edelson/AFP/Getty Images

On Tuesday, a team of researchers announced the latest widespread security vulnerability. Called FREAK, an acronym that might actually be better than POODLE, it’s a flaw that affects how HTTPS secure connections are established between browsers and Web servers, downgrading the connection to a weaker, more crackable encyrption.

Alongside the announcement, both Google and Apple made statements Tuesday about forthcoming patches for their products, especially mobile browsers. The companies each told the Washington Post and Reuters that they had patches rolling out. Apple promised its patch for early next week. But when you think about software that might be affected by a mainstream vulnerability, there’s another company that should come to mind. Where was Microsoft in all this, and was Windows affected?

On Thursday night, the company finally released a statment. But it wasn’t a reassurance that everything was okey-doke. It was an admission that FREAK “affects all supported releases of Microsoft Windows.” And the company hasn’t been very reassuring about its plans for plugging the hole, noting in its Thursday statement that it is conducting an “investigation.” On Friday a company spokesperson told Slate, “Our investigation continues and we’ll take the necessary steps to protect our customers.”

The company’s delayed reaction is especially surprising since the miTLS research team that discovered FREAK is a collaboartion between the French Institute for Research in Computer Science and Automation (called Inria) and, um, Microsoft Research. Kinda seems like communication broke down on this one.

Of course, it’s very difficult to implement large-scale security fixes, especially under pressure and when new vulnerabilities are cropping up all the time. Microsoft rightly pointed out in its statement that FREAK is an “industry-wide issue that is not specific to Windows operating systems.” And FREAK originally seemed like a pretty niche vulnerability, so the researchers may have given Apple and Google an early heads up because they thought that the hole was most relevant to them.

“It is pretty ironic, but I would say that it’s not surprising either,” said Rohit Sethi, vice president of product development at consulting firm Security Compass, of Microsoft’s situation. “We have seen in the past these sorts of things happen where researchers talk about vulnerabilities where there was a standard place where people thought it could be exploited.” Sethi notes that once a vulnerability is public and people are looking at it, they often realize there are more weak points than were previously identified. “It tends to kind of catch people off guard,” he said.

In its statement, Microsoft provided detailed instructions about workarounds that “do not correct the underlying issue but would help block known attack vectors before a security update is available.” Implementing them would probably be difficult for most people, though. And since millions of Windows users rely on Microsoft to protect their safety, the company needs to get moving.

David Kennedy, the founder and CEO of cybersecurity firm TrustedSec, says that because FREAK is a vulnerability in legacy protocols from the ’90s, he can understand why it would take time to analyze old code and assess the situation. But he is also surprised by Microsoft’s timeframe. “You would typically expect to see a research team notify corporate,” he said. “I would definitely expect Microsoft to be further down the line with information gathering. It seems like there was a lag in communication between the two groups.”