Skip to main content

Yet to upgrade Windows XP? Microsoft announced yesterday that it patched Windows to stop potential FREAK cyber threats against Internet Explorer (IE) users. Windows XP users are still at risk—here is why.

The newly-discovered FREAK attack security flaw leaves users vulnerable to hackers when they connect with Web servers configured to use encryption technology intentionally weakened to comply with a retired Federal regulation banning the strongest encryption standards.

FREAK is an acronym for “Factoring on RSA-EXPORT Keys,” a reference to a design flaw that cyber criminals can exploit, without detection, to force servers back to the old, weakened encryption standard. From there, hackers could easily perform man-in-the-middle attacks against users on insecure Wi-Fi networks, commonly found in public places like retail or airports.

Initially FREAK was thought to affect only Apple and Android machines, but Microsoft later announced Windows PCs using IE were also susceptible to FREAK.

Microsoft responded with its own (relatively) speedy patch (MS15-031) for Windows 7, Windows 8, Windows 8.1 and Server 2012, Server 2008—and even Server 2003, which falls out of support July 14, 2015. Apple has patched iOS and OS, and Google has patched Chrome browsers running on Windows, OS X and Linux.

Windows XP Left Exposed to FREAK

So which popular operating system is still vulnerable to freak? You guessed it. Windows XP.

Microsoft deliberately did not patch out-of-support Windows XP even though Windows XP users are almost certainly at risk to FREAK.

According to, Internet Explorer is the most popular Web browser at over 57 percent of the user share as of February 2015. For operating systems, Windows XP, now almost a year after EOS, still holds a 19 percent user share.

The latest FREAK episode provides yet another reason to upgrade Windows XP sooner rather than later.

Related content

Give us one good reason not to upgrade Windows XP in the comments section.

Adam Lovinus

Author Adam Lovinus

A tech writer and Raspberry Pi enthusiast from Orange County, California.

More posts by Adam Lovinus

Join the discussion One Comment

What's your take?