A new vulnerability affecting the SSL/TSL cryptographic protocols, dubbed Freak, has been found to affect Microsoft's Windows platform in addition to operating systems using the popular OpenSSL package.
First publicised earlier this week
by the researchers who had first discovered it, the Freak attack was initially thought to affect only selected operating systems including OS X, Linux, and variants including Android. The initial testing suggested that mobile users had the most to fear, with iOS, BlackBerry OS, and Android all affected by the vulnerability, while claiming that Microsoft's Internet Explorer was not affected - a claim now revised in the face of further testing.
The Freak attack is a variant on man-in-the-middle (MITM) methodology which allows an attacker to capture HTTPS traffic and force the server and client to negotiate a far weaker form of encryption than would otherwise be the case. The flaw itself stretches back more than a decade, but is described as 'not trivial to exploit
' by researchers. 'To exploit FREAK users need to connect to servers where support for downgraded export keys is still enabled and have an attacker on their network monitoring their connection with this server,
' explained Andy Manoske, senior product manager at AlienVault, of the vulnerability. 'Even then this only allows attackers the opportunity to perform cryptoanalytic attacks on their ephemeral key - a key which will only be valid for their session of communication with the server. This is definitely a glaring vulnerability, but it's by no means something as dangerous or hard to remediate as Heartbleed.
'Users who need to be extra cautious here are ones who, by design, have a entity in the middles of their traffic,
' agreed TK Keanini, chief technical officer of security firm Lancope. 'For example, some nation states control Internet gateways in in and out of their nation and because of this topological placement are in an optimal place to exploit everyday users.
While more difficult to exploit than previous attacks on SSL/TLS, its impact is widespread: all unpatched systems stretching back more than a decade are vulnerable, and that includes Windows. Microsoft admitted late yesterday that its own SSL/TLS library, Schannel, was indeed vulnerable
and is advising its users to disable RSA key exchange ciphers pending the release of a patch. Other platforms are awaiting updates also: Firefox is not vulnerable on any operating system, but Google's Chrome is with only the desktop variant currently patched; Safari on OS X and iOS is expected to receive a patch from Apple next week; while BlackBerry and Google are currently silent on when their respective mobile browsers will receive fixes. According to figures released by the original researchers, around 26 per cent of all web servers supporting encryption are additionally vulnerable, including 9.5 per cent of the top one million - down from 12.2 before the flaw was publicised.
More information is available at the vulnerability's official website