CBSN

Microsoft joins Google, Apple in fixing "FREAK" security flaw

Microsoft has joined Apple and Google in fixing the "FREAK" security flaw that may have left millions of people vulnerable to hacking while surfing the web on their devices.

There's no evidence so far that any hackers have exploited the weakness, which companies are now moving to repair. Researchers blame the problem on an old government policy, abandoned over a decade ago, which required U.S. software makers to use weaker security in encryption programs sold overseas due to national security concerns.

The weaker software could make it easier for hackers to break the encryption that's supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.

"It's basically an old vulnerability that was able to make devices more susceptible to hacking because of lower encryption," CNET senior editor Jeff Bakalar told CBS News. "Hackers could in theory sort of force feed devices and browsers lower encryption and therefore leave those devices vulnerable for attack."

Microsoft on Tuesday released a Windows update to address FREAK. Google said it put a fix in an update last week, while CNET reports that the iOS update Apple announced at its Apple Watch event Monday -- iOS 8.2 -- squashes the bug.

A number of commercial websites are also taking corrective action after being notified privately in recent weeks, Matthew Green, a computer security researcher at Johns Hopkins University, told The Associated Press.

Some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.

  • Michael Casey

    Michael Casey covers the environment, science and technology for CBSNews.com