March 6, 2015 at 10:57FREAK dangerous vulnerability found on desktop and mobile OS
A new vulnerability called FREAK (CVE-2015-0204) was discovered in a well-known open source software package called OpenSSL. It allows attackers to compromise the secure HTTPS connection used by the browser. The vulnerability affected the Google Android and Apple iOS mobile platforms, because it uses OpenSSL, as well as Apple OS X. All supported versions of Microsoft Windows ( SA 3046015 ) are also affected by a similar vulnerability in Microsoft Schannel.
The patch for OS X and iOS (Safari) will be available to users next week, the same applies to the Google Chrome web browser. For Internet Explorer, you can still use Workaround, which is described here.. Using the FREAK vulnerability, attackers can switch the trusted HTTPS secure connection between the client and server to its less secure version, and then decrypt the traffic (the so-called Man-in-the-Middle attack).
Vulnerabilities are affected by both client and server software. A list of websites that may be compromised through FREAK is here . The danger of the vulnerability also lies in the fact that, from the point of view of the user's vulnerable web browser, when an attacker compromises an HTTPS connection, it still remains trusted and no security warning will be issued to the user.
The patch for OS X and iOS (Safari) will be available to users next week, the same applies to the Google Chrome web browser. For Internet Explorer, you can still use Workaround, which is described here.. Using the FREAK vulnerability, attackers can switch the trusted HTTPS secure connection between the client and server to its less secure version, and then decrypt the traffic (the so-called Man-in-the-Middle attack).
Vulnerabilities are affected by both client and server software. A list of websites that may be compromised through FREAK is here . The danger of the vulnerability also lies in the fact that, from the point of view of the user's vulnerable web browser, when an attacker compromises an HTTPS connection, it still remains trusted and no security warning will be issued to the user.