Thursday, March 05, 2015

Microsoft Security Advisory 3046015 (FREAK)

Security Advisory
Microsoft released Security Advisory 3046015 which relates to the SSL/TLS issue referred being referred to as “FREAK” (Factoring attack on RSA-EXPORT Keys).

Most of the publicity surrounding FREAK has been addressing the vulnerability in the Safari, Chrome and Android browsers with OS X, iOS and Android.  However, the flaw also affects many popular websites.  As described in the Security Advisory:
"The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system to weaker individual ciphers that are disabled but part of a cipher suite that is enabled."
The problem is that it isn't only the browser that is vulnerable but websites as well.  Are you or the sites you frequent vulnerable?  To find out, do the following:
To learn more about FREAK, see Time to FREAK out? How to tell if you're vulnerable | Computerworld by Gregg Keizer.

References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

4 comments:

Anonymous said...

Are other versions of IE protected? I'm still using IE8 since I'm still using windows XP?

Corrine said...

The best thing is to test your browser(s) at https://freakattack.com/.

Anonymous said...

Corrine,
Thank you for the quick responce. To clarify myself I do
use Crome browser and its safe. I
still have the EI8 on my XP for
back up. When I went to test IE8
@ freakattack.com it comes up as
( Can not display web page.)I do not have a problem with other web
sites on IE8 page. Is there another way to check?

Corrine said...

I'm not aware of another way to check. However, in the case of this vulnerability, the expression "It takes two to tango" applies. This is because both the browser and the server must support the export-grade cipher suites in order for an attack to be successful.