Another massive security flaw has been unearthed by researchers which dates back yonks – in this case, over a decade – and it affects Apple’s Safari, and Google’s Android browsers.
The flaw is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is considered very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.
While these rules were ditched before the 1990s were out, the problem is that the weaker encryption was baked into popular software, and is in fact still around today.
The Washington Post reports that FREAK, as the flaw is known – which stands for “Factoring attack on RSA-EXPORT Keys” – means that a host of websites are vulnerable. Indeed, a third of all encrypted websites are affected, according to tests conducted by the University of Michigan, including retailers and financial services in some cases.
Warnings have been given behind the scenes in the past weeks, with the flaw initially being kept quiet, but now the cat is out of the bag, remediation measures will have to proceed much more swiftly.
Apple and Google have fixes readied for the Safari and Android browsers, with Google having developed a patch for its OS which the company says it has already sent out to partners. But how long it will take those partners to push it out, well, such is the rub with Android. Given the widespread and serious nature of this flaw, we’re hoping it’ll be pretty pronto in all cases.
According to NBC, an Apple spokesman, Ryan James, said that the company had also developed a patch, and the update would be pushed out next week.