SSL Vulnerability FREAK attack

Padlock with Keyhole

On the 3rd March 2015 researchers announced a new SSL vulnerability named Freak attack. Microsoft issued a security warning on the 5th March about the bug that could let attackers spy on communications that are supposed to be secure.

The name of the bug “Freak”. The bug affects Microsoft’s Windows Server and Desktop operating systems from Server 2003 and Vista upwards including the latest version of both OS types, Windows Server 2012 R2 and Windows 8.1. Other affected systems use Googles Android, Apples Safari web browser and Blackberry phones.

The flaw let attackers force data traveling between a vulnerable site and site visitor to use weak encryption. Microsoft claim that they don’t have any information to suggest the discovered vulnerability was actively being exploited by hackers.

Microsoft has issued advice on how to workaround the discovered vulnerability but have caveated that advice by stating applying the fix could cause “serious problems” with other programs. It is currently working on a security update that will remove the vulnerability.

Microsoft Workaround guidance: https://technet.microsoft.com/en-us/library/security/3046015

Google have announced that they have developed a patch that they have provided to partners but as Google does not directly push out Android software updates it is unclear when the patch will reach users. Device manufacturers and mobile carriers typically handle issuing Android updates to devices.

Apple have released information to suggest they will push out a patch in the coming week.

There is an online tool to check if you are using a browser vulnerable by the flaw at https://freakattack.com/