ALERT: Time to FREAK Out?

Category: Security

A vulnerability that could allow man-in-the-middle eavesdroppers to crack HTTPS (secure web connections) and steal sensitive data exists in every version of Windows, Mac OS X, iOS, Android, and even Blackberry OS. EVERYBODY PANIC! FREAK OUT! For a few days, at least. Here's what you need to know now...

What is the FREAK Vulnerability?

The vulnerability is called FREAK for “Factoring Attack on RSA-EXPORT Keys.” (I guess "FAREK" didn't sound as cool.) It stems from an obsolete U.S. government export restriction that forced software developers to write weaker encryption into products that they sold internationally. The restriction was lifted more than a decade ago, and everyone thought the weaker algorithm had been dropped from software that used encryption.

But in fact, it has persisted and even found its way into products sold in the U.S. And among those vulnerable products are Microsoft Windows, Internet Explorer, Mac OS X, the Safari browser, and Android. Use any of those?

The researchers found that they could force a Web connection that is secured with strong encryption to switch to the weaker (obsolete) encryption, and then crack (decode) it. Then they could eavesdrop on everything that passed through that connection.
FREAK Vulnerability

Of course, it took seven hours to crack the "weak" encryption, which is kind of a long time for a given Web connection to last and for hackers to have access to it. But no matter how improbable the scenario is, the vulnerability has been demonstrated so it’s just got to be taken seriously and fixed right now!

Microsoft is expected to include a patch for Windows in its regular monthly security update, scheduled for March 10. Probably. But they've been a bit non-chalant about the entire issue. Even though they knew about the flaw, and that it did affect Windows, they didn't publicly acknowledge that fact until several days later, saying "When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."

Apple has promised that a patch for OS X and iOS will be issued during the second week of March. Google Chrome users should check their Chrome browser versions and upgrade to v.41 if necessary; in many cases, that’s done automatically.

Should I Switch Browsers?

The website FreakAttack.com has some good information on which operating systems, websites and web browsers are currently vulnerable, and when fixes are expected from the software vendors. However, it is NOT an accurate test site for your web browser. As I write this, it is flagging both Firefox and Chrome v41 as vulnerable to the FREAK attack, but they are not!

The Firefox browser does not have the FREAK vulnerability. Switch from Internet Explorer to Firefox or Chrome v.41 if you’re worried about being hacked during the next few days. (That’s another reason to be grateful for cross-platform software that isn’t moored to a single operating system.)

Microsoft will not issue a FREAK patch for Windows XP (except to enterprise customers who are paying big bucks for extended XP support). If you’re still using XP and Internet Explorer, you should know that secure web browsing is off the table.

The FREAK vulnerability is the latest in a string of vulnerabilities that have existed for years, even decades, and are only now being publicized by security researchers. Earlier examples include the ubiquitous USB firmware vulnerability, Heartbleed, the OpenSSL vulnerability, and ShellShock. It’s unknown whether hackers or government agencies have known about or ever exploited these long-standing vulnerabilities.

The Bottom Line

Bottom line, if you are using Windows, I'd advise you to stop using Internet Explorer and switch to Google Chrome or Firefox. I've said for years that problems will inevitably arise from a web browser that's tightly bound to the operating system. But don't think this is just a Microsoft issue.

The same thing applies to Mac OS X or iOS users. Stop using the built-in Safari browser and switch to Chrome or Firefox.

If you use an Android device, take a pass on the built-in browser and make sure you have Chrome v41.

Even if your operating system or browser is "fixed" this week or next, I would still make the same recommendations. Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 9 Mar 2015


For Fun: Buy Bob a Snickers.

Prev Article:
REVIEW: Samsung Galaxy S6 Smartphone

The Top Twenty
Next Article:
Is Your Car Vulnerable to Hackers?

Most recent comments on "ALERT: Time to FREAK Out?"

Posted by:

Rhonda Lea Kirk Fries
09 Mar 2015

I enabled the workaround in Group Policy (there's also a workaround for those running Windows versions without access to Group Policy). If it's on my machine, I want it to be secure, even if I don't use it.

Unfortunately, the workaround immediately results in a bazillion SCHANNEL errors in the event viewer (36887, fatal alert 40), so I had to disable SCHANNEL logging.

Is it me or was this all so much easier 25 years ago? (Pining for the good old days must mean I'm old. Oh well.)


Posted by:

Robert Kemper
09 Mar 2015

Many thanks for your security warning, Bob. I'm
making corrections immediately.


Posted by:

Jim
09 Mar 2015

Does this apply to AOL's IE browser also?

EDITOR'S NOTE: IE is IE is IE.


Posted by:

Lori Schuster
09 Mar 2015

I know of several financial institutions that require users to access secure information via Internet Explorer. Their platforms are not accessible with any other browser. How might this affect the personal information of clients? Thank you for your insight.


Posted by:

Bob K.
09 Mar 2015

Hi Bob,

Thanks for another timely article!
As a general rule I use Chrome, however in case I want to use IE, would having a VPN offer any protection?

Best,
-Bob K.


Posted by:

Mike McCuaig
09 Mar 2015

Thank you Bob for this, I did not even know my chrome was outdated.


Posted by:

DEP
09 Mar 2015

What about the Email App on iPhones? Should I avoid using it?


Posted by:

RandiO
09 Mar 2015

woot! It appears that just about every server, every client, every major OS, every major browser is vulnerable! Wait! Wait! But NOT firefox??????? How is that possible?
I might as well make all my personal data public under GNU license, just in case they don't have it already and then add a donation tip-jar to hope for some residuals!


Posted by:

MmeMoxie
10 Mar 2015

I keep saying ... The Hackers just get smarter and faster!!!

Back in 1996, the only thing I had to worry about was Viruses. Then the threats and hackers got smarter, there were Trojan Horses and Worms. Along came Spyware/Malware. All of this came from emails, in the beginning or using a floppy disk, to download files from your work, where all of the computers were "infected."

We are now, in the era of Browsers that cause most of our computer problems, today. Again, the Hackers/Crackers have grown in intelligence and purpose.

If, my statements are not true ... Then why oh why, do we have so many Anti-Virus or Internet Security programs, on the market???

For the smart computer user ... To create a secure connection, the passwords are long and unique. Using small and Capital letters, symbols and numbers. Way harder to "crack" these kinds of passwords. However, this may not even stop the Hackers, from cracking "codes" in the Browsers, to simply cause chaos and identity theft.


Posted by:

Doug
10 Mar 2015

I like firefox ... just not the latest version.


Posted by:

Lori Schuster
12 Mar 2015

I wish someone could address my question concerning financial institutions who require the use of IE to access their proprietary platforms for clients. How vulnerable are these programs to this type of security breach? Thanks!

EDITOR'S NOTE: Microsoft has issued a patch for FREAK. Use Windows Update to make sure it's applied.


Posted by:

Karena
12 Mar 2015

Lori:
You could try firefox with the User Agent Switcher or User Agent Overrider extension - it makes your browser mimic another to websites (i.e. can make your bank think you're using IE). I've had really good luck with it - I can't guarantee that it would work with your bank, but if you're looking for a browser change, I recommend giving it a shot!


Posted by:

Jason
13 Mar 2015

Even though I've been using a Linux distro for a few years now, I abandoned IE almost immediately when I was using Windows. Some things just shouldn't be built into the OS, I often wished I could remove IE from my Windows installation entirely. On my (rooted) Fire tablet I have never used the stock browser, that's just bad form...


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML


Article information: AskBobRankin -- ALERT: Time to FREAK Out? (Posted: 9 Mar 2015)
Source: https://askbobrankin.com/alert_time_to_freak_out.html
Copyright © 2005 - Bob Rankin - All Rights Reserved