Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches FREAK Vulnerability on Busy Patch Tuesday

Microsoft released a fix for the FREAK vulnerability today as part of a massive Patch Tuesday security update.

Microsoft released a fix for the FREAK vulnerability today as part of a massive Patch Tuesday security update.

The fix is one of dozens spread across 14 security bulletins. Of the 14, five are classified as ‘critical’, with many experts agreeing that the Internet Explorer update should be the main priority. However, the FREAK vulnerability also warrants attention since it has been publicly disclosed.

“While FREAK is absolutely a real bug, and the techniques used by INRIA and company are excellent examples of cryptography research, the practical effects of the bug are still quite limited,” said Tod Beardsley, Metasploit engineering manager at Rapid7. “Some analyses characterize the attacker as an “eavesdropper,” but that implies a passive stance. The attacker must be actively interfering with a specific TLS connection to trigger the vulnerability, so a fair amount of prep work to get in that position is a prerequisite.”

Last week, Microsoft revealed that the vulnerability did affect Microsoft products and existed in Secure Channel (Schannel), a security package that implements the SSL/TLS protocols. Using the vulnerability, a man-in-the-middle attacker could downgrade the key length of a RSA key to EXPORT-grade length in a TLS connection and decipher communications. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected, Microsoft explained.

Apple patched the vulnerability this week as well.

Despite the headlines the FREAK vulnerability has grabbed, the Internet Explorer bulletin should be the first priority, argued Russ Ernst, director of product management at HEAT Software.

“This one is critical and covers off on 12 CVEs, including the February zero-day CVE-2015-0072 that is a cross-site scripting (XSS) vulnerability in IE 10 and 11,” he explained. “It allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element.”

Two vulnerabilities were publicly disclosed and one is under active attack; the other 10 CVEs were privately reported and impact all versions of IE, he added.

Advertisement. Scroll to continue reading.

The other critical bulletins impact Windows, Microsoft Office and Microsoft Server Software. MS15-019 deals with a vulnerability in the VBScript scripting engine in Windows that could enable remote code execution if a user visits a specially-crafted website. MS15-020 is another critical Windows update, and addresses remote code execution vulnerabilities that can be exploited if an attacker convinces a user to browser to a malicious site, open a malicious file or open a file in a working directory that contains a specially-crafted DLL file.

The third critical Windows update is MS15-021, which addresses multiple vulnerabilities in the Adobe Font Driver. The final critical bulletin, MS15-022, impacts Microsoft Office and Microsoft Server Software.

“Also released this month is MS15-022, a remote execution vulnerability in a cross platform component of office,” said David Picotte, manager of security engineering at Rapid7. “This affects all supported versions of MS Office, docx/xls viewers, SharePoint and Office Web Apps. Bundled into this bulletin is a fix for a set of cross site scripting (XSS) vulnerabilities, namely CVE-2015-1633 and CVE-2015-1636, applying these fixes will likely be the most time consuming patch for administrators as it may require a restart of critical SharePoint infrastructure systems.”

The remaining bulletins patched this month are rated ‘important’, and impact Windows and Microsoft Exchange. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.