Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Don't FREAK out about the latest security warnings

Glenn Fleishman | March 13, 2015
FREAK is last week's worry, but installing untrusted applications is a perennial worry. It's a two-fer (or two-fear) in this column, about security issues new and old.

FREAK is last week's worry, but installing untrusted applications is a perennial worry. It's a two-fer (or two-fear) in this column, about security issues new and old.

Super FREAKy

Apple released updates this week for a security vulnerability known as FREAK. FREAK allowed a malicious party to force a weaker encryption protocol to be used between about one-third of web servers with security credentials and many secure web clients and commonly used software libraries. That weaker protocol could be cracked cheaply and relatively quickly to reveal the contents of a session between a browser and web server. (You can read the full details about the attack in Jeremy Kirk's news report.)

Apple confirmed on March 3 that it would release updates the following week, which it did. This is better communication than usual, matching a more recent pattern. In the past, the company often remained mum about when security fixes would come, even when they were quite severe. The frankness is welcome.

The updates are for OS X 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite); Xcode 2; iOS 8 (included in 8.2); and 3rd generation and later Apple TVs. This seems like a relatively small window of updates, given that the flaw is present in operating systems of all kinds dating back a decade.

But the fix is asymmetrical: it can be blocked either or both in clients and servers. Web sites immediately began relatively minor reconfigurations that prevent the flaw from being exercised, regardless of what secure software attempting to connect tries to do. Sites that have bothered to install security certificates (or require them for their business) are likely to update their settings if they fall into the category of affected servers.

FREAK is one of a category of irritating exploits that there's nothing you can do about on your own, nor have done as a preventative, to keep yourself safe. However, engaging the exploit would require a party with dire intent to insert themselves as a "man in the middle" (MitM). For all users, the likelihood of interception is low; for particular users, who might be targeted by enemies, criminals, or a government agency, the odds would be moderate to quite high--if this exploit were known and in use as a tool of interception or theft.

As it stands, those with OS X 10.7 and earlier or iOS 7 and earlier shouldn't fret, they iOS users may be feeling like . The holes have been closed so rapidly that this isn't likely to be a useful tool in the kit of those bent on interception.

Don't take any wooden apps

There's word that malicious installers for Mac software have started to crop up again. This isn't the first time this has happened, but it's often surprising to OS X users that there's any reason to worry because of Apple's generally great approach to software installation that prevents malware from gaining a grip without user intervention. But even if you wouldn't be suckered in, you might check friends' and relatives' configurations and understanding to make sure they're safe.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.