Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Freak MITM Vulnerability Extends To Most Browsers, Microsoft OSes

By , Adam Fowler - Source: Toms IT Pro
Tags :

In early March 2015, security researchers discovered a SSL/TLS vulnerability attack and dubbed it "Freak." This vulnerability allows an attacker using a Man In The Middle attack to force communications into using a weaker 512-bit encryption, as opposed to the more secure 1024-bit. In turn, this weaker encryption could be broken in a matter of hours.

Originally identified as affecting web browsers on Google's Android and Apple's iOS and OSX, Freak's security flaw now extends to almost every browser, according to the team of computer scientists from University of Michigan, who maintain freakattack.com. This includes many versions of Internet Explorer, Chrome and Safari. On Windows operating systems, only Internet Explorer was affected; Chrome and Firefox remain on the safe list.

Along with the browser vulnerability, Microsoft revealed that Windows servers are susceptible to the attack.

Any server that can "accept RSA_EXPORT cipher suites" is putting clients at risk, according to Freak Attack, where information around the vulnerability has been posted along with a list of the world's most popular websites that remain unpatched.

Beyond the browser issues, Microsoft has issued Security Bulletin MS15-031, which alerted users to further implications of the Freak technique, showing the same insecurities of any servers using SChannel (Microsoft's implementation of TLS/SSL method) to communicate.

All Microsoft operating systems appear to be affected by the Freak attack, ranging from Windows Server 2003 all the way up to the unreleased Windows Server Technical Preview. Clients are just as bad, with Microsoft listing Vista and above as vulnerable, too.

Because the research team published details of its findings, Microsoft has been very quick to release information around the exploit, along with patches to operating systems and browsers that are still supported by the company.

Microsoft was also quick to point out that the security hole is "an industry-wide issue that is not specific to Windows operating systems," making it clear that the company is not solely taking the blame for this. To its credit, Microsoft has acted quickly, taking less than two days to publish Security Advisory 3046015, which contains workarounds, before official patches were made available.

Websites that check for unpatched servers and browsers have popped up quickly, such as KeyCDN's Freak Check, which is aimed at system administrators to check the status of their publicly available servers. 

Freak gives users of unsupported systems such as Windows Server 2003 Service Pack 1, Windows XP and any other older systems yet another reason to upgrade, and let's hope they do soon.

Comments