At the end of last week, I started getting email messages warning me about the latest TLS/SSL vulnerability that has been discovered. This one is called the FREAK Attack and a site dedicated to informing users about the attack describes this new vulnerability in this way:
It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.
The first reports of FREAK Attack, which like Heartbleed involves open source code, were via initial warnings through Mac and Android-native browsers—although Chrome appeared to be safe, as is Firefox. BlackBerry browsers are also affected by the vulnerability. At first glance, it looked like Windows machines were okay. A second glance, however, tells a different story.
Microsoft is now warning that your PC could also be vulnerable to a FREAK attack and it could affect all versions of Windows. Even if you don’t use the Internet Explorer browser, the vulnerability is still lurking on your machine, as writer David Meyer discovered and wrote in GigaOm after running the FREAK test tool. For the record, I discovered the same thing when I ran the test tool on both Chrome and Firefox on my computer. I never use IE on this computer.
So, since many of our computers and devices are likely vulnerable, what can you do? First, see if there is a patch available to be downloaded and if so, do it immediately. The FREAK Attack website has a list of patch stages for the different browsers. After that, it gets pretty complicated if you don’t want to wait for the patch, although most enterprise IT staff should have a handle on this. For people like me who work independently, we will have to take extra time to figure it out or find someone who can help us. Most of the help steps I’ve found online cover only the Windows FREAK vulnerability, however.
One of the predictions coming into 2015 was the discovery of more 1990s and older vulnerabilities hidden away in open source applications. It took a little more than two months to find this first one, but I expect it won’t be the last one that is identified this year.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba