New intelligent app from Avast learns individual user behavior and optimizes features to maximize battery life. Avast is excited to announce the release of our newest app, Avast Battery Saver. Battery Saver is the first intelligent battery-saver app for Android that increases battery life by an average of 7 hours. Avast Battery Saver optimizes your […]
summary
A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. It’s a threat because FREAK allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Web site owners can protect their sites by properly configuring their web servers. End users will need to wait for browser vendors to release new versions that include the OpenSSL bug fix.
Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended; no certificate replacement is needed.
Organizations should evaluate their web servers to determine if they are vulnerable. Symantec expects to offer an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable. This will be announced when available. At the time of this writing, Symantec is evaluating its own systems and no Symantec web servers appear to be vulnerable.
Technical Details:
It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSL documentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:
NULL-SHA
NULL-MD5
In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from http://support.microsoft.com/kb/245030:
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
NULL
We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.
Additional guidance from Symantec
FREAK is another reminder that website security is not just about certificates. Symantec has numerous articles and white papers on security best practices and technical areas related to SSL/TLS and code-signing issues. Please stay tuned to our Connect blog site for up-to-date information on this and other critical vulnerabilities, for other topics related to advanced threat protection, and for security industry news. Please access our learning center for more resources that can help your organization make critical decisions related to web server security. For technical details to help with troubleshooting please bookmark our SSL/TLS and code-signing knowledge base.
Una falla reportada recientemente permite a los atacantes forzar las conexiones seguras a usar un método de cifrado más débil y quebrantable.
Read More
Uma falha divulgada recentemente permite que atacantes forcem conexões seguras a utilizar uma forma mais fraca de criptografia, que pode ser quebrada.
Read More
A recently reported flaw lets attackers force secure connections to use a weaker, breakable form of encryption.Read More
Wi-Fi and encryption Data transmitted over a wireless network can be either unencrypted or encrypted. While both options are available to users, the use of open, unprotected Wi-Fi networks has become increasingly popular across the globe. In the case of open wireless networks, the transmitted data are unencrypted and might be visible to others, […]
Today, Avast announced the launch of Avast GrimeFighter at the Mobile World Congress in Barcelona. The new application helps Android users free extra memory on their devices with just a few taps so they can save the data that matters to them while enjoying a faster, smoother performance on their devices. How Avast GrimeFighter works Avast GrimeFighter begins by […]
Aunque el número de detecciones de Troyanos financieros disminuyó durante 2014, la amenaza fue considerable, ya que los agresores se han movido para evadir nuevas medidas de seguridad.
Read More
Ainda que o número de detecções de Trojans financeiros tenha diminuído em 2014, a ameaça ainda é considerável, já que os atacantes alteraram suas táticas para contornar as medidas de segurança mais recentes.
Read More
While the number of financial Trojan detections decreased in 2014, the threat was still considerable, as attackers moved to bypass newer security measures.Read More