Microsoft issued a security warning a fortnight ago concerning a bug, originally thought only to affect Android, Blackberry and the Safari browser, called FREAK. Two weeks in and issues are still surfacing.
FREAK also has a much larger net than first thought, affecting almost any browser and many websites which make use of SSL/TLS and HTTPS, as Mark confirms.“It’s another flaw or weakness in supposedly secure data transport from your web user to your web server, this flaw allows someone to infiltrate and steal information that you thought was safe,” explains Mark James, ESET security specialist.
“Anyone using web browsers accessing websites with SSL or TLS along with some older OpenSSL, you should check your browser to see if it’s affected immediately and if so then switch to another.”
A comprehensive list of affected browsers and popular websites is available here, there is also some great advice and background concerning FREAK.
Heartbleed and Shellshock
Although it has the scope to be extremely damaging there is little evidence that it is being exploited and patches have been coming thick and fast.
“It would seem that this particular flaw is not widely being used, that’s not to say it’s any less of a danger than Heartbleed, Shellshock, Poodle, Beast etc.
“We need to take any flaw that involves a presumed level of security very seriously indeed, this needs as much attention and concern as any of the others.”
The issue with any announcement of a major flaw or bug is that it becomes common knowledge and therefore if anyone is slow to patch it they leave themselves wide open to attack. Just like in Google’s feud with Microsoft.
“Any delay however small once a flaw has been made public will increase the chances of it being exploited; whilst a small number of people may be aware of this flaw already, once it goes public any number of people may then attempt to use this for the wrong reasons.
“It’s certainly good news that no evidence exists yet of any exploits but evidence and practice do not necessarily go hand in hand.
“Getting this patched as soon as possible by all the affected software parties is a priority and it’s good to see that some already have.”
Cause and Effect
As of writing this a large amount of progress has been made toward securing the web at large from FREAK attacks. Meanwhile some possible applications are only just coming to light.
Graham Cluley covers the FREAK attack in fine style with this Q&A style piece, in which he talk specifically about how it was able to happen.
It turns out that some poor code from the 1990’s is to blame in part, but how is old code allowed to stick around?
“As newer techniques are found to exploit or circumvent the very means we think are there to protect us then the need to patch and adapt quickly is also very important.
“As code gets older then this becomes a much bigger problem, using newer more secure code will often limit the time it takes to patch these problems but as with any software it will always be at risk.
“We will never have 100% secure code and will always be playing cat and mouse between the good and bad guys.”
Join the ESET UK LinkedIn Group and stay up to date with the blog.
Have you checked the FREAK tracking website? Did you change your default browser or avoid webpages because of it?