Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all Microsoft advisory dramatically raises the number of vulnerable end-user devices. Computers running all supported versions of Microsoft Windows are vulnerable to "FREAK," a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites. Microsoft confirmed the vulnerability in an advisory published Thursday. A vulnerability-scanning service at FREAKAttack.com, a site that offers information about the bug, confirmed the advisory, showing that the latest version of IE 11 running on a fully patched Windows 7 machine was susceptible. Previously, it was believed that the Windows system was immune to the attacks. FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end-user with a vulnerable device connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many presumed had been retired long ago. In analyses immediately following Monday's disclosure of FREAK, it was believed Android devices, iPhones and Macs from Apple, and smartphones from Blackberry were susceptible. The addition of Windows dramatically increases the number of users known to be vulnerable. Attackers who are in a position to monitor traffic passing between vulnerable users and vulnerable servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website's underlying private key. The process requires about seven hours and $100. From that point on, attackers on a coffee-shop hotspot, rogue employees working at an ISP, or nation-state-sponsored hackers can masquerade as the official HTTPS-protected website, a coup that allows them to read or even modify data as it passes between the site and the end-user. Meanwhile, Android and Apple devices On Thursday, Google developers released an updated version of Chrome for Mac that can't be forced to use the weak 512-bit cipher, effectively closing the FREAK hole when OS X users are on the Google browser. At the time this post was being prepared, Chrome for Android remained vulnerable, and Google officials have yet to provide any public estimate on when a fix would be available. Apple officials have said patches for OS X and iOS would be released next week. Microsoft's advisory provided no estimate on when a patch would be available, either. In the interim, people on vulnerable devices should consider using Firefox, which over the past two days has consistently been labeled as safe by the FREAKAttack site. In recent weeks, security researchers scanned more than 14 million HTTPS-protected websites and found that 36 percent of them supported the weak cipher, meaning they are vulnerable to the attack. As of Thursday morning, vulnerable sites included AmericanExpress.com, Groupon.com, Bloomberg.com, and many more. Microsoft's advisory offers several work-arounds for more technically inclined readers, but some of them will prevent IE from connecting as expected to certain websites. Despite the large number of sites and end-user devices known to be vulnerable, there has been considerable debate among security professionals about just how critical the threat posed by FREAK is. Support for the argument the threat is low is the fact that it's hard or impossible for adversaries to carry out FREAK attacks remotely or in mass numbers. Additionally, Google, Facebook, and most other large sites aren't vulnerable. These considerations and the perception the threat is low are likely contributing to the slow pace of patches coming from Apple, Google, and Microsoft. Still other researchers say the severity is much higher. Besides the millions of websites and incomprehensibly high number of end-user devices now known to be vulnerable, other reasons to think FREAK is severe is the fact that it has existed for a decade. That means it's possible malicious attackers have known about and exploited it for years already. http://arstechnica.com/security/201...rstechnica/index+(Ars+Technica+-+All+content) Microsoft Windows vulnerable to 'FREAK' encryption flaw too Previously thought limited to Apple and Google browsers, the flaw leaves communications between affected users and websites open to interception. Computers running all supported releases of Microsoft Windows are vulnerable to "FREAK," a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov. The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems." Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers. The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page. Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers. "The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor," Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw's origins and effects. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today." http://www.cnet.com/news/windows-vulnerable-to-freak-encryption-flaw-too/#ftag=CAD590a51e
Check if Windows is affected by the Freak Attack vulnerability Freak Attack is the name of a new SSL/TLS vulnerability that came to light on March 3, 2015. The vulnerability can be exploited by hackers to weaken the encryption used between clients and servers when HTTPs connections are used. Affected are servers, according to a site that is tracking the issue 9.5% of Alexa's top 1 million domain names but also web browsers such as Chrome, Safari and Internet Explorer. Browser's are not necessarily vulnerable on all systems they support. Chrome is for instance vulnerable on Android and Mac OS X but not on Windows. Firefox appears to be the only browser not affected by the vulnerability at all on all systems it supports. Since Internet Explorer is affected by the vulnerability on Windows, it is important to check whether your PC is vulnerable and do something about it if that is the case. The easiest way to do that is to use the Freak Client Test Tool which tests for the vulnerability and reports back if your browser is vulnerable or not. READ MORE http://www.ghacks.net/2015/03/06/check-if-windows-is-affected-by-the-freak-attack-vulnerability/
Scope Of FREAK Flaw Widens As Microsoft Says Windows Affected Too http://www.darkreading.com/scope-of...ws-affected-too/d/d-id/1319380?_mc=RSS_DR_EDT Microsoft: FREAK affects Windows, iOS and Android http://www.theinquirer.net/inquirer...-fixing-security-flaw-caused-by-us-government
I've been out of the loop for the last few weeks. Is freak attack affecting chrome on Linux or mobile FF?
