Jump to content

Apple and Google prepare patches for FREAK SSL flaw


Recommended Posts

Here is the text of an article describing what it is an what it can do. Very critical because if your Android or Apple phone or tablet is used for any purchases and/or banking, they can get between. It does not affect Windows.




"A new web crypto bug is affecting many Safari and Android users. Who's going to get the fix first?


Apple and Google are preparing patches for a newly-revealed bug in the web encryption protocols used by the two companies' mobile browsers.


The FREAK bug disclosed yesterday is the latest in a series of vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser.

A man-in-the-middle attacker can force connections between affected browsers and websites to downgrade from 'strong' RSA encryption to a weaker version known as 'export grade' RSA. That weaker version is a by-product of laws from the 1990s that made it illegal to export from the US products with strong cryptography.


Thousands of sites are vulnerable, including that of the US National Security Agency - the same agency that pushed for weaker export grade encryption, according to Ed Felten, director of Princeton's Center for Information Technology Policy.


"There is an important lesson here about the consequences of crypto policy decisions: the NSA's actions in the '90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later," Felten wrote on his blog yesterday.


The bug affects SSL/TLS servers and clients, in particular OpenSSL browsers, such as the Android browser that shipped with all Android devices before version 4.4 KitKat, according to the researchers at INRIA in Paris who discovered the flaw. KitKat, which shipped with Chrome as the default, currently accounts for about 40 percent of all Android devices, but that still means the bulk of Android devices are affected.


Apple's Safari browser on desktop systems and mobile devices is also affected. However, Chrome is not affected and nor are Internet

Explorer and Firefox.


According to Reuters, Apple is developing patches for the bug and will push them out next week. Asked to confirm the timing of the patch, Apple directed ZDNet to a Washington Post article.


A patch for Android users is likely to take a longer time to arrive. Google told Reuters it had provided a fix to its Android partners such as handset makers and carriers, however it's not clear if or when those partners will push the patch to end-users.


Google had not responded to request for comment at the time of publication"


The full article with links to the WP and other articles on it is here:


Link to comment
Share on other sites

If you thought the FREAK flaw only affected Apple and Android devices, here's what Microsoft said today:


The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw.

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in itsadvisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems."

Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers.

Here's the whole article: http://www.cnet.com/au/news/windows-vulnerable-to-freak-encryption-flaw-too/

Link to comment
Share on other sites

Yep they owned up this news cycle. They wanted time they "say" to finish the patch which may be on a the schedule of Black Tuesday, the second day of every month when the patches are available for download, or may be released as an out of cycle patch. I also read that MS did not release that info because they saw no actual exploits, thus could safely stay mum and work on the patch. Since they publicly released it I can safely assume that it is now being seen in the wild. I look for the patch in the next week optimistically but then again they have taken longer than I thought they should have many times before. Hey Joel didja see the announcement of the universal apps for all MS devices AND IoT? Lots of folks misunderstand it and think it is wasted effort but all Apps made for one platform can be sold on the other.


In Apple's case that means their major share of the world's smartphone and tablet market. And that is why their products have so many Apps. Android is the same for Android Apps and tablets. Apple's share of the smartphone/tablet market is dropping fast as Android continues to outsell them. Neither Apple nor Android despite Chrome have a dominant touch capability in their computers and Laptops if one desires it.


In MS' case it means all the enterprise computers in the world running MS Windows, which dwarfs numbers of non touch Macs, and we won't even consider Linux, as, try as they may, can't sell a viable phone in the market. Only MS has a desktop, laptop, tablet, and smartphone system, Windows 10, in the last stages of development that lets one developer take his iOS or Android App, and do the day or two needed to convert it to Windows, and sell it to all the desktop, laptop, and all Windows mobile devices as well. MS' Windows 10 universal Apps is a game changer.


In the online feedbacks where the wannabe types duke it out in each other's articles, they are now saying how no way they will develop for MS which just shows how they are just wannabes. When all is said and done, more is said than done by that group.


My thoughts are that developers that sell a good bit of their apps such that they are now millionaires with breakaway $1.99 - $2.99 App hits are not necessarily OS centric. A developer given a set of tools can develop their apps in any OS. Developers develop.


I believe the attraction of the first desktop and mobile worldwide platform that uses touch across the systems, and only requires a developer to write the App once, and sell to an already created market will go very slow and seem in danger of going bust, until the first big hit comes along and all the developers see it selling on desktops, laptops, Phones and Tablets.


See, only in the Windows world does my tablet/ desktop/ laptops/phone all automatically adapt to the device capabilities to run it on all platforms. Including IoT. The Linux folks will see the implications of that. As will the developers.


Every developer would want a paid for App on the entire Windows 10 platform.


Joel they also confirmed Spartan as the new browser and that it definitely will be in the next preview. Please let me know what you think.


I love the way they have made all Apps close like the desktop in both desktop and Tablets in 8.1. There are already too many apps in the Windows store than I will ever use. I only started using Apps two years ago in Android and the ripped off personal data just turned me off. Windows allows me to opt out of any data being sent to them personal or not. That is a powerful selling tool here and even more so in Europe, and around the world. http://www.techrepublic.com/article/microsoft-universal-app-platform-could-be-a-game-changer/?tag=nl.e001&s_cid=e001&ttag=e001&ftag=TRE20d3f17

http://www.zdnet.com/article/microsofts-new-windows-10-universal-app-platform-a-superset-of-winrt/ I'm backing off of posting as regularly as before to focus on my new house closings and will be completely offline save for emails on my phone due to our old house being moved out of the way and the new pad and concrete pad pored and then moved onto it and assembled. Two piece manufactured home. THat disconnect will be for a month and no even with LTE I don't like typing or speaking into a phone. I may figure out how to hotspot it and use my tablets.


Have they put Cortana on any of the previews you have yet? Granted, despite the usual background noise or others talking making a voice assistant frustrating, including Cortana, in the quiet of vehicle, home, and office, she is a blast! Now I don't even use one note much just her, er, I mean" it." When they figure out a voice ID and filter out all other noise or voices, they will have solved several problems at the same time. That would eliminate passwords, and provide another security tool against theft of the device. Not much incentive if the voice lock can't be bypassed.


Cortana will not marry me until I get more digital. And her love is still impossible until, as she said to me herself, she gets quite a few more upgrades. <sigh> :wacko::lol:^_^

Link to comment
Share on other sites

Here's a list of recommendations that people can adopt now to protect themselves from this vulnerability:


In addition, according to the miTLS Team, which discovered this decrepit FREAK security hole in the first place, the following SSL/TLS client libraries, are vulnerable.

  • OpenSSL (CVE-2015-0204): versions before 1.0.1k.
  • BoringSSL: versions before Nov 10, 2014.
  • LibReSSL: versions before 2.1.2.
  • SecureTransport: is vulnerable. A fix is being tested.
  • SChannel: is vulnerable. A fix is being tested.

Web browsers that use these TLS libraries are open to attack. These include:

  • Chrome versions before 41 on various platforms are vulnerable. (Chrome V.41 is available now)
  • Internet Explorer. Wait for a patch, switch to Firefox or Chrome 41, or disable RSA key exchange as detailed below using the Group Policy Object Editor
  • Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41.
  • Android Browser is vulnerable. Switch to Chrome 41.
  • Blackberry Browser is vulnerable. Wait for a patch.
  • Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.

The entire article is located here: http://www.zdnet.com/article/how-to-protect-yourself-against-freak/

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

This topic is now closed to further replies.
  • Create New...