ALERT: Time to FREAK Out?
A vulnerability that could allow man-in-the-middle eavesdroppers to crack HTTPS (secure web connections) and steal sensitive data exists in every version of Windows, Mac OS X, iOS, Android, and even Blackberry OS. EVERYBODY PANIC! FREAK OUT! For a few days, at least. Here's what you need to know now...
What is the FREAK Vulnerability?
The vulnerability is called FREAK for “Factoring Attack on RSA-EXPORT Keys.” (I guess "FAREK" didn't sound as cool.) It stems from an obsolete U.S. government export restriction that forced software developers to write weaker encryption into products that they sold internationally. The restriction was lifted more than a decade ago, and everyone thought the weaker algorithm had been dropped from software that used encryption.
But in fact, it has persisted and even found its way into products sold in the U.S. And among those vulnerable products are Microsoft Windows, Internet Explorer, Mac OS X, the Safari browser, and Android. Use any of those?
The researchers found that they could force a Web connection that is secured with strong encryption to switch to the weaker (obsolete) encryption, and then crack (decode) it. Then they could eavesdrop on everything that passed through that connection.
Of course, it took seven hours to crack the "weak" encryption, which is kind of a long time for a given Web connection to last and for hackers to have access to it. But no matter how improbable the scenario is, the vulnerability has been demonstrated so it’s just got to be taken seriously and fixed right now!
Microsoft is expected to include a patch for Windows in its regular monthly security update, scheduled for March 10. Probably. But they've been a bit non-chalant about the entire issue. Even though they knew about the flaw, and that it did affect Windows, they didn't publicly acknowledge that fact until several days later, saying "When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."
Apple has promised that a patch for OS X and iOS will be issued during the second week of March. Google Chrome users should check their Chrome browser versions and upgrade to v.41 if necessary; in many cases, that’s done automatically.
Should I Switch Browsers?
The Firefox browser does not have the FREAK vulnerability. Switch from Internet Explorer to Firefox or Chrome v.41 if you’re worried about being hacked during the next few days. (That’s another reason to be grateful for cross-platform software that isn’t moored to a single operating system.)
Microsoft will not issue a FREAK patch for Windows XP (except to enterprise customers who are paying big bucks for extended XP support). If you’re still using XP and Internet Explorer, you should know that secure web browsing is off the table.
The FREAK vulnerability is the latest in a string of vulnerabilities that have existed for years, even decades, and are only now being publicized by security researchers. Earlier examples include the ubiquitous USB firmware vulnerability, Heartbleed, the OpenSSL vulnerability, and ShellShock. It’s unknown whether hackers or government agencies have known about or ever exploited these long-standing vulnerabilities.
The Bottom Line
Bottom line, if you are using Windows, I'd advise you to stop using Internet Explorer and switch to Google Chrome or Firefox. I've said for years that problems will inevitably arise from a web browser that's tightly bound to the operating system. But don't think this is just a Microsoft issue.
The same thing applies to Mac OS X or iOS users. Stop using the built-in Safari browser and switch to Chrome or Firefox.
If you use an Android device, take a pass on the built-in browser and make sure you have Chrome v41.
Even if your operating system or browser is "fixed" this week or next, I would still make the same recommendations. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 9 Mar 2015
|For Fun: Buy Bob a Snickers.|
REVIEW: Samsung Galaxy S6 Smartphone
The Top Twenty
Is Your Car Vulnerable to Hackers?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- ALERT: Time to FREAK Out? (Posted: 9 Mar 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved