The Freak vulnerability has infected more machines than had been previously thought, while cloud providers struggle to deal with the fallout from the malware.
Research from security company Skyhigh Networks revealed that 766 cloud service providers were still vulnerable to FREAK attacks. The vulnerability works by exploiting SSL/TLS to force an HTTPS connection.
According to a new security advisory from Microsoft, Windows users should be wary of the possibility of a FREAK attack, the company said the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.“
Microsoft would not comment on the reason why it was late with the announcement, contenting itself with releasing a statement, “We released Security Advisory 3046015 to provide guidance to customers in response to this issue. Our investigation continues and we'll take the necessary steps to protect our customers.”
Independent security consultant, Graham Cluley commented to SCMagazineUK.com: “Did Microsoft look at their software before and miss that it was vulnerable, or has it taken until now to confirm there is a problem? It does appear that the public announcement of Freak was slightly premature, caused by a blog post from Akamai being released early.”
The lack of action by cloud service providers could be seen as even more concerning. As Skyhigh spokesman Nigel Hawthorn pointed out, while it was revealed publically this week, the Freak vulnerability was first discovered in January. “At that point,” he said, “everyone who had a service that is likely to be vulnerable should have been concentrating on trying to fix it.”
He said that he was going to name the providers concerned but said there were some well-known and major companies among the guilty parties. He added that their size added to the complexity “Big companies have so many servers, they're harder to keep patched and up-to-date” but he pointed out that cloud companies in particular should be concerned about security issues.
In the past, he said, companies had been reluctant to adopt cloud, as there were concerns about security; providers have worked hard to change this viewpoint and a lack of response to Freak could undo this good work.
Richard Sykes, chairman of the Cloud Industry Forum, agreed that cloud service providers should be doing more. “They should be giving absolute priority to putting together a secure and reliable service,” he said. “We're currently putting together a new survey and it will be interesting to see whether security starts going back up the list of concerns.”
The other dilemma facing the industry is marrying secure communications with the need for national security. FREAK emerged when a “backdoor” in encryption systems was exploited: will governments be more wary of asking for weakened encryption systems in future?
Cluley is not so sure: “This isn't a story that's going away. However, I don't see any possibility of the authorities enforcing a ban on secure communications. There's nothing to stop someone downloading code from the internet, and compiling it, if they are really determined they want to keep the likes of the NSA out of their online chats. What will happen, I suspect, is that we will see more hacking of endpoints to spy on communications - as it will become too difficult to intercept communications en route.”