March 6, 2015
Well, its not been a great deal of time since we had Poodle, then GHOST, now we have FREAK.
FREAK is an acronym for “Factoring attack on RSA-EXPORT Keys” which is a technique used in the communication of data between a Web Server and a Browser, and vice versa.
Microsoft have released an advisory that ALL currently supported versions of the popular Windows Operating System are at risk from FREAK. This includes the soon-to-be retired Windows Server 2003.
Essentially, the potential exploit is possible due to some web servers and browsers accepting 512bit encrypted ciphers, and in turn this allows a potential attacker to inject a malicious payload into the packet stream, thus compromising the HTTPS connection we are told to trust.
In Microsoft’s release, they have advised they are “working on the issue”.
Andorid, Blackberry, Firefox and Apple IOS X are all stated as potentially vulnerable to the FREAK attack vector.
Most analysts have said that the risk of this being exploited in the “real world” is low, but it has been widely reported that some high profile websites such as Amex, Groupon and Bloomberg are potentially exposed to this exploit. Something I am sure they will be eagerly working on to reassure their users.
It’s important to note that Google’s Chrome browser is unaffected.
The advice is, for now at least, keep your systems updated with the latest security patches and releases, and always keep your Anti virus/ malware / adware up-to date and active.
For Linux based web servers the advice is to upgrade OpenSSL to at least version 1.02.
We are pleased to announce that our hosting has been tested as not vulnerable.
We will update this post as and when more information is released.
Contact us for more information, or an informal chat.
Microsoft have now posted a security patch for affected systems. Please visit Windows Update or Microsoft Update as appropriate.
This article was posted on 06/03/2015 at 21:24