Report: The FREAK Bug Now is Everywhere

Written by DH Kass 1
March 8, 2015

Microsoft confirmed that the latest version of Internet Explorer 11 running on a fully protected Windows 7 computer is vulnerable to a FREAK attack in which invaders could get in the middle of HTTPS-secure traffic between users and millions of vulnerable websites.

The FREAK, not a dance or a television show but rather a dangerous security bug, short for “Factoring attack on RSA-EXPORT Keys,” apparently is everywhere on just about every browser and platform save Firefox. And, it’s been around for about a decade, according to reports.

But it’s worse than that. Late last week, Microsoft (MSFT) confirmed in a security advisory that the latest version of Internet Explorer 11 running on a fully protected Windows 7 computer, nevertheless, still was vulnerable to a FREAK attack in which invaders could get in the middle of HTTPS-secure traffic between users and millions of vulnerable websites.

Freakattack.com, a service that scans for vulnerabilities to the bug, also confirmed Microsoft’s advisory, dismissing previous thinking that the bug couldn’t invade Windows systems.

“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” the vendor wrote in the security alert.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” the advisory said. “The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”

Microsoft went on to say that to protect users it’s unsure if it will need to provide a security update through its normal monthly patch releases or issue what it calls an “out-of-cycle” security update.

FREAK attacks can occur when an unsuspecting user operating a compromised machine visits a vulnerable, but supposedly HTTPS-secure website, which an attacker has downgraded to a weaker 512-bit cipher.

The bug previously was thought to invade Android devices, Apple (AAPL) iPhones and Macs and BlackBerry (BBRY) smartphones but with Windows devices now susceptible, obviously the number of possible user intrusions multiplies exponentially.

In response to the threat, Google already has updated Chrome for the Mac that closes the FREAK hole for OS X users. But Google has yet to issue a patch for Chrome for Android users. Similarly, Apple said it will have a fix for OS X and iOS in the next few days.

Right now, the estimate is nearly 40 percent of HTTPS-protected websites may be vulnerable to the FREAK opening, meaning they will support the weak cipher making them vulnerable to an intrusion. Some high traffic websites, including included AmericanExpress.com, Groupon.com, Bloomberg.com,government sites such as the NSA, the FBI, and the White House’s sites are vulnerable to the bug.