The delay in patching the FREAK flaw will not cause users problems, particularly as there is currently no evidence of any exploits.
In an email to IT Security Guru, TK Keanini, CTO of Lancope said that proper exploitation of this flaw is difficult because there are multiple requirements for the attacker, unlike other vulnerabilities where all they needed to do was run the exploit.
“For this reason, I don’t think the delay [in releasing a patch] is a bad thing because a fix and proper testing of that fix is important as we don’t want o be introducing even more vulnerabilities,” he said.
Mark James, security specialist at ESET, said that once a flaw has been made public, any delay will increase the chances of it being exploited. “Whilst a small number of people may be aware of this flaw already, once it goes public any number of people may then attempt to use this for the wrong reasons,” he said.
“It certainly is good news that there is currently no evidence of any exploits, however evidence and practice do not necessarily go hand in hand. Getting this patched as soon as possible by all the affected software parties is a priority and it’s good to see that some already have.”
Revealed yesterday, the FREAK (Factoring attack on RSA-EXPORT Keys) flaw allows interception of vulnerable clients and servers and forces them to use ‘export-grade’ cryptography, which can then be decrypted. The technique could be used to decrypt users name and passwords as well as other sensitive that users may think is protected by SSL. According to NCC Group, there is currently no evidence that attackers have managed to exploit the weaknesses yet. According to Reuters, Apple has said a software update will be pushed out next week, while Google said the company had also developed a patch, which it has provided to partners.
Keanini said: “Only the most sophisticated and advanced would be able to pull this off and those are the types of attackers that only make the news when they choose to make the news. Very few attackers have at the ready the ability to get in the middle of your network traffic.
“This does not mean that the vulnerability cannot be exploited, it just means it will be much more targeted and only a small handful of attackers will have the opportunity at this point.”
Gavin Millard, EMEA technical director of Tenable Network Security, told IT Security Guru that he felt that FREAK was far less of an issue than Heartbleed and similar to POODLE, but it was still worth taking note and fixing the issues where present.
He said: “With all major bugs of this type, it is important that the affected systems are identified and updated when the patches are available to reduce the risk of this vulnerability being exploited. OpenSSL has a patch available now, the client updates should follow in the coming days.”
Phil Lieberman, CEO of Lieberman Software Corporation agreed that FREAK is a low probability threat, so little needs to be done, but recommended websites or embedded systems which may be compromised by nation states using this technique, they will need to upgrade their web servers to use a more modern version of OpenSSL
He called Heartbleed was a serious and prevalent flaw that affected most users interacting with open source based web servers, and a “you must patch” scenario for internet-facing sites. “FREAK is an interesting technique, but it should not keep anybody awake at night unless their Internet connection is tapped or are using WiFi without encryption and authentication,” he said.
