"FREAK" security hole affects even Windows after all

Microsoft almost had it good. Long lambasted for being so easily hacked, it was almost believed that the company's operating system, at least those well-patched and up to date ones, were immune to the latest security vulnerability causing worry over the Internet. As it turns out, however, it just isn't the case. Microsoft published a security advisory informing users that the version of Internet Explorer running on many versions of the Windows OS are susceptible to this FREAK attack, with no word on when a patch will be rolled out.

This FREAK vulnerability is a by product of an old US government policy that banned strong encryption in favor of weaker ones that the government could exploit later on. Unfortunately, that has come back to bite it in the extremities as it is now affecting many sites and can potentially compromise users' privacy and security. Definitely a lesson on why you shouldn't advocate creating intentional backdoors.

In essence, what hackers could to is to force a vulnerable website and an unprotected web browser to use the weaker "export-grade" encryption that is still in effect even after more than a decade. The hacker can then use a man in the middle technique to snoop in on the presumed secure communication between the browser and the server, gathering private information such as passwords, addresses, and more. This happens even with websites that use secure lines such as banks or Amazon. Ironically, it has also affected the US government's own websites, including the NSA. Some of these websites have already been fixed but there are still a lot more out there, and some of them are very big ones.

Part of the problem is that the problem is located on two sides of Internet traffic. Even as servers and websites are being patched up, users' browsers remain vulnerable. The FREAKAttack website keeps track of these browsers and updates their status. As of this writing, only Google Chrome on Mac is noted to already have a patch available, though the Linux version is also safe. Safari on both Mac and iOS will have a patch available next week. Sadly, Chrome on Android as well as the stock Android browser remain exposed to exploit. Google says that it has sent the fix already to its partners, but, as with any Android update, the question is always when it will actually roll out from OEMs and carriers. For now, it seems that everyone's safest bet would be to use Firefox, as it is the only browser that isn't vulnerable on any platform.

SOURCE: Microsoft, FREAKAttack

VIA: Ars Technica