A new web crypto bug, disclosed Tuesday, is affecting many Safari and Android users. So between Apple and Google, who is going to send out the bug fix first?
What is it?
The FREAK bug is the latest vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser.
A man-in-the-middle attacker can force connections between affected browsers and websites to downgrade from 'strong' RSA encryption to a weaker version known as 'export grade' RSA. That weaker version is a by-product of laws from the 1990s that made it illegal to export from the US products with strong cryptography.
Who is vulnerable?
Thousands of sites are vulnerable, including that of the US National Security Agency (nsa.gov), the White House (whitehouse.gov), and the Federal Bureau of Investigation (FBI.gov).
The bug affects SSL/TLS servers and clients, in particular OpenSSL browsers, such as the Android browser that shipped with all Android devices before version 4.4 KitKat. KitKat currently accounts for about 40 percent of all Android devices, meaning that the bulk of Android devices are affected.
Apple's Safari browser on desktop systems and mobile devices is also affected. However, Chrome is not affected and nor are Internet Explorer and Firefox.
What is the fix?
According to Reuters, Apple spokesman Ryan James said the computer had developed a software update to remediate the vulnerability, which would be pushed out next week.
A spokeswoman for Google, Elizabeth Markman, said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades.
Unlike Apple, Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.
Have a question about IT Security? Want to make sure your business is most secure? Contact BizCare, Inc. today to schedule your free 30 minute consultation!
