Millions of computer users at risk from “Freak”

At the end of last week, Microsoft issued a major security warning about a computer bug that has been named “Freak” and announced that it was working on a security update to tackle it.

Initially it was thought that only some users of Android and Blackberry phones were at risk, along with users of Apple’s Safari web browser, but it was later discovered that in fact millions of computer users are at risk.

The bug is a loophole that has been found in software that is used to encrypt data passing between web servers and web users. If exploited, Freak could let cyber attackers spy on what had previously been believed to be secure communications. The SSL/TLS vulnerability was announced on Tuesday 3^rd March. The issue was discovered by Karthikeyan Bhargavan, an encryption and security expert at INRIA in Paris, and allows attackers to force data that is travelling between a vulnerable site and a visitor to use weak encryption, making it easier for the attacker to crack open the data and steal or manipulate sensitive information.

On 5^th March, Microsoft released a security advisory note which said that it had not received any information that showed that the flaw was being actively exploited by cybercriminals, but did say that every current version of Windows that uses the browser Internet Explorer (IE) was vulnerable to Freak, as was any non-Microsoft software that calls on a part of Windows called Secure Channel. It suggested some ways to tackle the issue on its software but said that these fixes could go on to cause serious problems with other programs. In a sign of how seriously it was taking the bug, it announced a security update on 10^th March, a week after it was first announced. Apple is expected to produce a patch to tackle the issue in the next week, and Google has updated Chrome for the Mac in response, but has yet to say what action it is taking with Android. Chrome for Windows and all modern versions of Firefox are known to be safe, but certain third-party software could still leave you vulnerable.

A group has been set up to monitor the impact of Freak and to help people check to see if they are using a browser that makes them vulnerable. They believe that around 9.5% of the top one million websites are at risk of being attacked, 36.7% of HTTPS servers with browser-trusted certificates and 26.3% of all HTTPS servers are at risk. You can view their website at https://freakattack.com/ and keep up to date with all developments regarding Freak, including security updates.

If you’re concerned about the potential impact of Freak or need assistance with computer viruses, spam, and other IT-related issues, reach out to our team of IT experts at ECL today.