Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

Beyond Superfish: Turns out SSL-trashing spyware is widespread

Last week Lenovo found itself in deep trouble over the Superfish spyware that it installed on many recent consumer laptops. Designed to insert ads into customers’ browsing experiences, the software has very insecure foundations and basically made users vulnerable to hacking attacks.

Turns out it’s not just Lenovo customers who should be worried about their exposure — the insecurity of Superfish is largely due to its use of technology from an Israeli company called Komodia, and quite a few software packages in the areas of antivirus and parental protection also use Komodia’s engine. Examples highlighted by the U.S. Department of Homeland Security include products from parental control outfits Qustodio, Kurupira, Infoweise and Komodia’s own KeepMyFamilySecure, and security firms such as Lavasoft and Websecure.

Qustodio wrote in a Saturday blog post that it was working on a “fix in order to avoid potential phishing attacks from external malicious users.”

These various packages, including the Superfish software that Lenovo quietly installed on its consumer laptops late last year, used Komodia to put a fake root certificate authority (CA) on each user’s PC, together with a private key, in order to be able to intercept and analyze even encrypted “SSL” browsing sessions. However, this mechanism was really badly implemented.

As Facebook’s Matt Richard noted, the reuse of the same root CA across multiple machines (with the same “komodia” private key password) means bad actors could “potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”

Cloudflare researcher Filippo Valsorda wrote about the potential manipulation of Komodia’s mechanism even without the need for extracting the private key: “An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.”

In short, this software greatly increases insecurity, which is why the DHS is urging people to uninstall all software that uses the Komodia Redirector and SSL Digestor libraries, and all associated root CA certificates, and why Mozilla is considering blacklisting those certificates in Firefox.

That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.

CloudFlare’s Valsorda has come up with a tool called Badfish that was originally designed to detect infections by Superfish, but now also scans for those by other Komodia-using products and PrivDog as well. If you’re a Windows user and you’re using parental control software or certain antivirus products, it might be worth giving that page a visit to see if you need to be uninstalling anything.

Gogo issues fake security certificates to block in-flight streaming

If you’re looking for another reason to hate Gogo, the much-criticized ISP of the skies, then it just provided one. Neowin revealed on Monday that the Gogo is messing with the SSL (secure socket layer) certificates issued by websites to encrypt traffic coming to and from your browser.

According to Neowin, [company]Google[/company] security engineer Adrienne Porter Felt discovered the tactic when surfing Google sites. [company]Gogo[/company] was replacing the SSL certificates she would normally get from Google with the ISP’s own certificates. This is the kind of ploy you’d usually see when a malicious hacker is performing a man-in-the-middle attack. But according to Gogo it’s just using the certificates as a way of identifying video traffic so it can block it over its narrowband air-to-ground network. From a statement by Gogo EVP and CTO Anand Chari:

“… we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.  Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.”

Considering passengers on most Gogo planes today are sharing the equivalent of a single 3G connection, keeping video off the inflight wireless network is probably a good policy – instead of a bunch of crappy connections you’d get no connections at all. But the way Gogo is enforcing that policy by breaking the security of sites is, as The Verge puts it, “a terrible idea for everyone involved.”

Weekend Vid Picks: History Lessons In Video Form

This week, two videos went viral because of the way in which they put history into perspective — one through visuals, the other through ideas. Visual Effects: 100 Years of Inspiration has a slightly inaccurate title, as the montage begins with the 1900 film The Enchanted Drawing and ends with 2008’s The Curious Case of Benjamin Button. But by starting with some of the very first animation used in film before moving quickly into the effects revolution that’s occurred over the past 30 years, the scope of how film has evolved is put into sharp relief.
Read More about Weekend Vid Picks: History Lessons In Video Form

Adobe Bridge as a Better iPhoto

BridgeiPhoto is OK, especially if you like lots of automation when managing your image files, but it’s not as likely to appeal to pros or serious amateurs. Some will use Apple’s (s aapl) Aperture or Adobe’s (s adbe) Lightroom, but there’s another photo management solution you may already have on your hard drive.

I’m talking about Adobe’s Bridge utility, a photo file browser bundled with CS3 and CS4, and in a slightly feature-reduced version, with Photoshop Elements 6 (PSE). I prefer Bridge’s more manual control and configuration options to iPhoto’s automation of how you browse, organize, delete, search, view, edit, and apply metadata to your image files. Read More about Adobe Bridge as a Better iPhoto