Microsoft released a fix for the FREAK vulnerability today as part of a massive Patch Tuesday security update.
The fix is one of dozens spread across 14 security bulletins. Of the 14, five are classified as ‘critical’, with many experts agreeing that the Internet Explorer update should be the main priority. However, the FREAK vulnerability also warrants attention since it has been publicly disclosed.
“While FREAK is absolutely a real bug, and the techniques used by INRIA and company are excellent examples of cryptography research, the practical effects of the bug are still quite limited,” said Tod Beardsley, Metasploit engineering manager at Rapid7. “Some analyses characterize the attacker as an “eavesdropper,” but that implies a passive stance. The attacker must be actively interfering with a specific TLS connection to trigger the vulnerability, so a fair amount of prep work to get in that position is a prerequisite.”
Last week, Microsoft revealed that the vulnerability did affect Microsoft products and existed in Secure Channel (Schannel), a security package that implements the SSL/TLS protocols. Using the vulnerability, a man-in-the-middle attacker could downgrade the key length of a RSA key to EXPORT-grade length in a TLS connection and decipher communications. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected, Microsoft explained.
Apple patched the vulnerability this week as well.
Despite the headlines the FREAK vulnerability has grabbed, the Internet Explorer bulletin should be the first priority, argued Russ Ernst, director of product management at HEAT Software.
“This one is critical and covers off on 12 CVEs, including the February zero-day CVE-2015-0072 that is a cross-site scripting (XSS) vulnerability in IE 10 and 11,” he explained. “It allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element.”
Two vulnerabilities were publicly disclosed and one is under active attack; the other 10 CVEs were privately reported and impact all versions of IE, he added.
The other critical bulletins impact Windows, Microsoft Office and Microsoft Server Software. MS15-019 deals with a vulnerability in the VBScript scripting engine in Windows that could enable remote code execution if a user visits a specially-crafted website. MS15-020 is another critical Windows update, and addresses remote code execution vulnerabilities that can be exploited if an attacker convinces a user to browser to a malicious site, open a malicious file or open a file in a working directory that contains a specially-crafted DLL file.
The third critical Windows update is MS15-021, which addresses multiple vulnerabilities in the Adobe Font Driver. The final critical bulletin, MS15-022, impacts Microsoft Office and Microsoft Server Software.
“Also released this month is MS15-022, a remote execution vulnerability in a cross platform component of office,” said David Picotte, manager of security engineering at Rapid7. “This affects all supported versions of MS Office, docx/xls viewers, SharePoint and Office Web Apps. Bundled into this bulletin is a fix for a set of cross site scripting (XSS) vulnerabilities, namely CVE-2015-1633 and CVE-2015-1636, applying these fixes will likely be the most time consuming patch for administrators as it may require a restart of critical SharePoint infrastructure systems.”
The remaining bulletins patched this month are rated ‘important’, and impact Windows and Microsoft Exchange.