Microsoft, Apple Tame Their Inner FREAK With Software Patches
There's a time and place to get your freak on, unless you're talking about FREAK, the newly discovered encryption flaw that was initially thought to only affected Android and iOS devices. It turns out that the vulnerability also affects all supported releases of Windows. That's the bad news. And the good? Microsoft and Apple have both released updates to plug the security hole.
"This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems," Microsoft said in a security bulletin. "The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected."
Image Source: Flickr (Stuart Heath)
Put another way, the exploit could allow an attacker to intercept and change secured network communications between two parties.
Microsoft labeled the security update as Important, not Critical. What it does is correct the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems. This isn't a standalone update, but part of Patch Tuesday, which also includes an update that addresses Stuxnet. Microsoft had already addressed Stuxnet five years ago, but apparently the initial patch was incomplete, according to Threatpost.
As for Apple device owners, Apple on Monday released iOS 8.2. It's a nearly 500MB download that adds support for Apple Watch and includes improvements for the Health App, but it also contains several stability and bug fixes, include one for FREAK.