Almost No One Is Immune from the FREAK Attack

Sue Marquette Poremba
Slide Show

AV-TEST Identifies the 10 Best Security Products of 2014

At the end of last week, I started getting email messages warning me about the latest TLS/SSL vulnerability that has been discovered. This one is called the FREAK Attack and a site dedicated to informing users about the attack describes this new vulnerability in this way:

It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

The first reports of FREAK Attack, which like Heartbleed involves open source code, were via initial warnings through Mac and Android-native browsers—although Chrome appeared to be safe, as is Firefox. BlackBerry browsers are also affected by the vulnerability. At first glance, it looked like Windows machines were okay. A second glance, however, tells a different story.

Microsoft is now warning that your PC could also be vulnerable to a FREAK attack and it could affect all versions of Windows. Even if you don’t use the Internet Explorer browser, the vulnerability is still lurking on your machine, as writer David Meyer discovered and wrote in GigaOm after running the FREAK test tool. For the record, I discovered the same thing when I ran the test tool on both Chrome and Firefox on my computer. I never use IE on this computer.

So, since many of our computers and devices are likely vulnerable, what can you do?  First, see if there is a patch available to be downloaded and if so, do it immediately. The FREAK Attack website has a list of patch stages for the different browsers. After that, it gets pretty complicated if you don’t want to wait for the patch, although most enterprise IT staff should have a handle on this. For people like me who work independently, we will have to take extra time to figure it out or find someone who can help us. Most of the help steps I’ve found online cover only the Windows FREAK vulnerability, however.

One of the predictions coming into 2015 was the discovery of more 1990s and older vulnerabilities hidden away in open source applications. It took a little more than two months to find this first one, but I expect it won’t be the last one that is identified this year.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.