Problem Windows Schannel contains insecure outdated EXPORT ciphers which can not be disabled directly in the Windows registry without disabling other commonly used cipher suites.
Mitigation Disable SHA hashes or PKCS(RSA) key exchanges (will black hole up to 50% of HTTPS sites)
Solution Do not use Internet Explorer for HTTPS logins until Microsoft provides updates that remove the export ciphers from Schannel. Use the latest Chrome, Iron or Firefox browsers but test them first, as versions of Chrome prior to 41 were also FREAK vulnerable. Check the up to date list of vulnerable browsers. Note: Windows XP and Server 2003 will probably never be updated. Also from a security standpoint MS should also remove Multi-Protocol Hello NULL PCT RC2 RC4 DES SSLv2 and SSLv3 completely from Schannel.
Research We are working on a possible viable solution.
Q I am using Internet Explorer but the web site I visit is not FREAK vulnerable. Am I still at risk ?
A HTTPS web sites with HTTP access on the same server using a 301 or 302 redirect from HTTP to HTTPS,
during that redirect you could be vulnerable to MiTM attacks.
Q Are other MS apps affected ?
A Yes Remote Desktop, Terminal Server, IIS, possibly Outlook and others using Schannel
The below test scenarios apply to IE 9 through 11 on Windows 7 through 10
The tests are the results of changes made to the Windows registry in an attempt to secure IE
while allowing the highest percentage of compatibility with HTTPS web sites.
Test 1 has the best compatibility but is FREAK vulnerable (accesses over 90% of HTTPS web sites)
Test 2, and 3 are not vulnerable to FREAK (but can only access 30% to 50% of HTTPS web sites)
Test 3 is based on MS advisory 3046015. Gpedit is not available on many versions of Windows but can enabled
Test 1 redone Mar 10 2015 with the new Windows FREAK patches installed see below