WTF!! What is the FREAK vulnerability? Why Should i care ?
Last year, the OpenSSL vulnerability called Heartbleed causes so much problem for the internet users. It was one of the most dangerous security flaws because it affected every big website and allowed hackers to hack SSL protected websites. However, There’s another widespread vulnerability on the internet called ‘FREAK’ and it has affected a lot of internet websites and browsers.
The FREAK is the acronym for Factoring RSA Export Keys flaw. FREAK is a bug that allows attackers access to secure communications. It was discovered in software that was used to encrypt data that went from web servers to web users. It has been in existence for a decade now but was only thought to affect Apple’s Safari as well as Google’s Android browsers. Now however, Windows has been added to that mix.
It affects all versions of Windows which use Internet Explorer. All Microsoft Software that utilizes the Secure Channel via the Windows — Secure Sockets Layer and its descendant, the Transport Layer Security also has FREAK Vulnerability.
FREAK vulnerability permits an attacker to easily intercept data that is moving between the source site and a visitor to use a weak encryption which makes it possible and easy to crack the data and reach sensitive information such as passwords as well as access the data on that page. This FREAK flaw was exposed by encryption and security guru Karthikeyan Bhargavan.
The FREAK vulnerability gives the attacker an easy channel to forcefully downgrade any coded suite that is used in SSL/TLS connections on the system of a Windows Client System. The FREAK technique is an issue that affects the whole industry and if left unsolved might lead to software crisis worldwide.
In an attempt to value the impact of this bug a group has been set up to evaluate and gather numbers regarding the worldwide risk. A 9.5% of the overall worldwide web’s one million websites have been found with Freak Vulnerability and are therefore prone to attacks. They have introduced an online tool so people can check whether the browser they are using is at risk.
To counter the Freak Vulnerability, Google has updated its Chrome Version for the Mac but Android is still on review. Apple is also geared to introduce a solution soon. There have been various advisories from Microsoft concerning how to eliminate the Freak Vulnerability. Unfortunately, these solutions can lead to very severe problems with other programs. Because of this, other better solutions are being sought. Microsoft is expected to address the issue with its scheduled patch Tuesday update or an irregular one.
Though there has been no report of the use of this flaw for cyber crime, the frenzy with which a solution is being sought reflects its seriousness. Microsoft has even suggested that Windows users disable their RSA export ciphers in the meantime.
Many experts blame the FREAK flaw on the earlier US policy bans that barred the strongest encryption standard appliance. This allowed the infiltration of weaker standards in most software including Web browsers and Windows. This was done so as to allow intelligence agencies to keep an eye on web action. The remnants of this ban are the cause of the FREAK vulnerability today.
According to the miTLS Team, which discovered this FREAK security hole in the first place, the following SSL/TLS client libraries, are vulnerable:
- OpenSSL (CVE-2015-0204): < 1.0.1k version.
- BoringSSL: Older than Nov 10, 2014 version .
- LibReSSL: < 2.1.2 Version.
Web browsers that use these TLS libraries are open to attack :
- Chrome versions before 41 on various platforms are vulnerable.
- Internet Explorer.
- Safari is vulnerable.
- Android Browser is vulnerable.
- Blackberry Browser is vulnerable.
- Opera on Mac and Android is vulnerable. .
It is advisable for all users to keep an eye out for updates so as to protect their systems once a solution is found or switch your web browser to Chrome 41 or Latest Firefox browser. Staying ignorant might cause a lot of long term losses that will be irreparable.