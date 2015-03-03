(Adds comment from Google spokeswoman)
BOSTON, March 3 Apple Inc and Google
Inc said on Tuesday that they have developed fixes to
mitigate the newly uncovered 'Freak' security flaw affecting
mobile devices and Mac computers.
The vulnerability in web encryption technology could enable
attackers to spy on communications of users of Apple's Safari
browser and Google Inc's Android browser, according to
researchers who uncovered the flaw.
Apple spokesman Ryan James said the computer had developed a
software update to remediate the vulnerability, which would be
pushed out next week.
Google spokeswoman Liz Markman said the company had also
developed a patch, which it has provided to partners. She
declined to say when users could expect to receive those
upgrades.
Google typically does not directly push out Android software
updates. Instead they are handled by device makers and mobile
carriers.
The Washington Post reported that the bug left users of
Apple and Google devices vulnerable to cyberattack when visiting
hundreds of thousands of websites, including Whitehouse.gov,
NSA.gov and FBI.gov. http: (wapo.st/18KaxIA)
Whitehouse.gov and FBI.gov have been fixed, but NSA.gov
remains vulnerable, the paper cited Johns Hopkins cryptographer
Matthew D. Green as saying.
A group of nine researchers discovered that they could force
web browsers to use an form of encryption that was intentionally
weakened to comply with U.S. government regulations that ban
American companies from exporting the strongest encryption
standards, according to the paper.
Once they caused the site to use the weaker export
encryption standard, they were then able to break the encryption
within a few hours. That could allow hackers to steal data and
potentially launch attacks on the sites themselves by taking
over elements on a page, the newspaper reported.
Markman said that Google advises all websites to disable
support for the less-secure, export-grade encryption.
"Android's connections to most websites - which include
Google sites, and others without export certificates - are not
subject to this vulnerability," she added.
The group of researchers dubbed the flaw Freak, for
"Factoring RSA-EXPORT Keys," according to a website where they
described the vulnerability: www.smacktls.com.
(Reporting by Jim Finkle; Editing by Christian Plumb, Bernard
Orr)