Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

Opera users can now easily share collections of bookmarks

The Opera browser now includes a bookmark-sharing feature, the Norwegian firm said on Wednesday. Instead of having to paste multiple URLs into an email or instant message, as of version 26 of the desktop browser, users can save their “findings” into a collection, with each page represented by a thumbnail. They can then share the URL for that collection via email or social media or whatever. Opera for Android has also gained a similar feature, with sharing also made possible via Bluetooth or Android Beam. In related news, Opera 26 marks the full return of Opera to Linux after the browser’s major internal revamp in 2013, with that version rejoining the stable stream. Version 24 snuck into the developer stream in June.

Opera’s app store will replace Nokia Store on feature phones

Microsoft’s purge of Nokia branding and services continues: Opera announced Tuesday that its Mobile Store will replace the Nokia Store on Nokia feature phones, as well as devices running Symbian, and Nokia X devices that run Android. The change will take place during “the first half of 2015.” It’s not Nokia that signed this deal — it’s Microsoft, which has to support those odd devices it got as part of buying Nokia’s mobile business. The move comes a week after Opera signed a deal with Microsoft to become the default browser on legacy Nokia devices, and on the same day that Nokia announced it was working on an Android tablet for China.

Opera is back on Linux

Having dropped Linux support around the time of its root-and-branch revamp, Opera is now offering its first developer version for Linux users in over a year.

Opera is teasing Max app to compress all your mobile pics and videos

Opera is getting ready to release its mobile data compression app Max to a wider audience: The browser maker opened up preregistration for a beta test of the Android app Tuesday, promising that the app will help users to get the most out of their data plan. Max does this by routing all data requests of a phone through Opera’s servers, where it is compressed and then sent to the phone. Google (s GOOG) recently introduced data compression for the Android version of Chrome, but Max works for any app, including image and video sharing apps like Vine and Instagram.