Protecting Yourself from FREAK
There’s a new SSL security flaw that’s making the news, and as usual, it has the major tech companies scrambling to provide patches. In some cases, patches are available now. In others, they’re still about a week away. Here’s what you need to know and how to guard against it.
This latest security flaw is actually quite old, but only recently discovered. Essentially, this is an artifact of an earlier era in computing. As our security measures have grown more robust new architecture has been built atop the old, without stripping the old out. This, of course, has set up a situation where a savvy, observant hacker can exploit the old code that’s still built into the system, completely circumventing the new, more robust security measures.
Scope of Impact
Originally, this was reported as an Apple issue, but it has since come to light that Microsoft and Android devices are impacted as well. In fact, most devices are impacted, including those running Windows Vista, 7, 8, 8.1, and Windows Server 2003. It stands to reason that older and unsupported operating systems are also vulnerable. It’s all the more reason to do that upgrade you’ve been putting off, because in the case of unsupported OS’s, no help is coming. If you don’t upgrade, you’re going to remain vulnerable to the threat this newly revealed security flaw represents.
In addition to these, the Android browser is vulnerable, as is Internet Explorer, pre-update-41 Chrome, and Opera. Patches are all forthcoming, but at present, the safe havens are Chrome 41 and Firefox. Switch to either of these until the other patches are officially released.
Also note that if you’re using Server 2012 or Server 2008, but have those configured for desktop use, you’re also vulnerable. Tablet and Phablet users will need to wait for the manufacturer to release patches before they’re fully covered, even after Google patches the Android OS.
All of that to say, this is a very big, pervasive security flaw that impacts an enormous number of machines.
Implications of Not Taking Precautions
Opting to not protect yourself will leave system’s passwords at risk. A hacker can use the exploit to gain root level access, take control of the machine and ferret out all passwords stored on the device in question. That poses a simply unacceptable security risk for most, so the best course of action is to take what steps you can to minimize your exposure, await the patches, and then apply them as soon as they are available.
Unfortunately, there will be more of these. Based on the evolution of security protocols and how they have been applied, it’s all but certain that we haven’t seen the last of these kinds of issues. Kudos to the tech companies for stepping up and releasing patches as quickly as they are able, but no matter how quickly they act, there’s still a window of time in which you and your company are vulnerable.