Software bug named ‘FREAK’ allows attackers spy on supposedly secure communications

March 6th 2015

Updated on Friday, the 13th of March.  

On Tuesday, the 3rd of March 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

The vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Key), dates back more than a decade.  It was initially thought only to affect some users of Android and Blackberry phones and Apple's Safari web browser. However on Thursday, the 5th of March, Microsoft issued a security advisory confirming that Windows was also vulnerable to attacks. 

If you are a client of IT Force, please be assured that we will be monitoring any developments of this potential security threat.  We have rolled out patches / hotfixes on all internet facing servers as they have become available.

Update:

Microsoft and Apple have now released software fixes for FREAK.  The updates were made available about a week after the flaw was made public.  They require users to restart their computers and smartphones after installation. Google patched its Chrome browser and distributed an Android fix last week.  

Share this:

Share this: