Security researchers have revealed a new software vulnerability that is leaving Apple and Google users open to a hack attack. The vulnerability, Factoring RSA export keys (also known as the FREAK attack), was found in SSL/TLS—the protocol meant to provide secure Web connections.
According to the miTLS team, composed of Inria (a research organization in Paris) and Microsoft Research, the vulnerability was introduced by U.S. government agencies that banned strong encryption algorithms from export in order to ensure they could decrypt foreign communications. Although the ban was lifted in the 1990s, the weaker encryption algorithms already made their way into software and back to the United States.
“Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default,” wrote the researchers on their website. “However, we discovered that several implementations incorrectly allow the message sequence of export cipher suites to be used even if a non-export cipher suite was negotiated.”
The researchers added that the FREAK attack could allow a hacker to force a browser with the weak export cipher suite to use weaker export keys that can be decrypted or altered.
“Ironically, many U.S. government agencies (including the NSA and FBI), as well as a number of popular websites (IBM, or Symantec) enable export cipher suites on their server,” the researchers wrote.
Those affected by the flaw include users of pre-1.0.1k versions of OpenSSL, Android Browser, Safari, several embedded systems, and software companies that use TLS without deactivating the weak export cipher suite in their software products.
It is unlikely that users of Chrome or Firefox are affected by the vulnerability, according to the researchers. Apple is already working on deploying a patch for Safari. The researchers recommended that users Android browser users update to Chrome 41 immediately.
More information is available here.
