FREAK security flaw

A newly discovered vulnerability believed to exist since the 90s has been discovered. Dubbed as FREAK, (Factoring RSA Export Keys), the vulnerability forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.
FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. They found that OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients are vulnerable to man-in-the-middle (MITM) attacks. Once attackers are able to intercept the HTTPS communication between vulnerable clients and servers, they force the connection to use the old export-grade encryption. Attackers who “listen” in on the communication will then be able to decrypt the information with relative ease.
Apple’s SecureTransport is used by applications running on iOS and OS X. These include Safari for iPhones, iPads, and Macs. Meanwhile, OpenSSL is used by Android browsers and other application packages.
According to reports, 37% of browser-trusted sites are affected by this flaw. Affected sites include Bloomberg, Business Insider, ZDNet, HypeBeast, Nielsen, and the FBI. It bears stressing that there are country-specific sites that were also affected.
To address the FREAK security flaw, OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.
Trend Micro is advising all Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.
For more information about the FREAK security flaw, visit Trend Micro blog.

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *