Updated March 4, 2015, 1:13 PM PST: Tripwire IP360 has included coverage for CVE-2015-0204 since it was first released in January 2015, as well as detection capabilities for weak export grade ciphers that enable this attack vector.
According to a report by the Washington Post, security researchers recently unveiled yet another massive security flaw, dubbed FREAK, impacting both Apple and Google users.
The vulnerability, which has been around for more than a decade, could allow attackers to eavesdrop on communications on computers and mobile devices using the Safari or Google browsers, even when visiting millions of allegedly secured sites.
Apple spokesman Ryan James stated the company plans to issue a software update to remediate the pervasive vulnerability next week.
Google also responded quickly to the incident. Spokeswoman Liz Markman stated the company had also developed a patch, which it has since provided to partners. The rollout time for the Google update, however, is still unknown.
Security researchers that uncovered the bug believe this high-impact vulnerability was the result of a former U.S. government policy that prohibited the export of strong encryption. Hence, weaker “export-grade” products were required to be shipped to customers outside of the U.S.
“These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.” – The Washington Post
The group of researchers confirmed recently that browsers could be manipulated to use weaker encryption, and eventually break it within only a few hours.
Attackers could then leverage the vulnerability to steal data and launch broader attacks on the websites by taking over certain page elements, such as a Facebook’s “Like” button.
Nonetheless, experts point out the risk of FREAK – short for Factoring attack on RSA-EXPORT Keys –being actively exploited is smaller than we have seen with other high-impact vulnerabilities like Heartbleed and Shellshock.
“There are a number of variables that need to be in place in order of an attacker to take advantage of this vulnerability,” said Tripwire senior security analyst Ken Westin.
“However, it is still important to update systems as vendors make patches available.”