Microsoft’s FREAK workaround causes update error 8024001F

Microsoft has published a workaround to fix the FREAK vulerability in SSL/TLS protocol. Unfortunately this workaround can cause some collateral damages. One damage could be an update error 8024001F. Here are a few more details.


Advertising

What's FREAK vulnerability?

Two weeks ago, security researchers has discovered a weakness in SSL/TLS transport encryption, that is caused by old US government policy that forbades the export of strong cryptographic software. I've reported about that issue in my FREAK: Why US policy sets Apple & Google products at risk blog post. Within this blog post, I stated, that only Google's Android browser and Apples iOS / OS X Safari Browser are vulnerable. But it turns out, that also Microsoft Windows is shipped with this weak encryption libraries that puts Internet Explorer in all versions – up to IE 11 – at risk. Calling this web site in IE 11 under Windows 7 results in a FREAK Attack warning.

Microsoft's workaround

In a business environment, there are cases, where Internet Explorer is mandatory for compatibility reasons. Therefor Microsoft has issued March 5 a Security Advisory 3046015 Vulnerability in Schannel Could Allow Security Feature Bypass.

The purpose of this advisory is, according to Microsoft, to notify customers that Microsoft is aware of a security feature bypass vulnerability affecting Schannel. In an MiTM attack, an attacker could downgrade an encrypted SSL/TLS session and force client systems to use a weaker RSA export cipher. 

The advisory provides also a workaround to disable RSA key exchange for TLS transport protocol, using group policies. Here is, what Microsoft suggests to disable the RSA key exchange ciphers:

  1. At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
  2. Expand the branch in the left pane to Computer Configuration Administrative TemplatesNetwork.
  3. Click entry SSL Configuration Settings and under this branch click the SSL Cipher Suite Order policy setting.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane and follow the instructions given in the Microsoft advisory, to modify this settings.

The advices given by Microsoft's Security Advisory blocks TLS-RSA key exchanging. Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround. It seems to be a good solution at a glance. But there are several side effects so far.


Advertising

  • Some websites may not function properly anymore, if the server requires a TLS-RSA key exchange.
  • A user commented in my German blog post, that his Windows Life Mail did not work anymore.

German IT magazine heise.de claims in this article, that Windows update fails with error 8024001F, after issuing the workaround. It seems to me, that blocking TLS-RSA key exchanging damages Windows update's capability to decrypt communication packages.

My proposal – plain, safe and easy

I think, the vulnerability risk through FREAK is low, because each user can use another browser like Google Chrome or Firefox. Testing Google Chrome against FREAK weakness, using the web site above, provides the following result.

My Google Chrome browser used in Windows 7 isn't vulnerable from a FREAK attack. So my suggestion is: Omit the workaround, Microsoft has issued in Advisory and just use an alternative browser till a patch / hotfix arrives.

Summary: Windows / Internet Explorer are affected by FREAK vulnerability. The workaround Microsoft has provided, comes with collateral damages. A better workaround will be using an alternative browser like Google Chrome or Firefox, till Microsoft has provided a patch.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Windows and tagged , , . Bookmark the permalink.

2 Responses to Microsoft’s FREAK workaround causes update error 8024001F

  1. Pingback: #Microsoft fixes #FREAK vulerability, but not on #Windows10TP | Born's Tech and Windows World

  2. Kim says:

    Well, I don't know much about Microsoft's "Freak workaround", but I do know a little about Error Code 8024001F. This error code in particular, is very common and is usually as a result of an Internet connection problem. Various factors could conflict with the Internet connection and so the user might have to implement several manual procedures before it can be fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *