Patches released for Freak flaw by Microsoft and Apple

Computer users Image copyright Thinkstock
Image caption The Freak flaw can be exploited to help hackers decrypt scrambled communications

Microsoft and Apple have released software fixes for a web browser bug that could let hackers spy on supposedly secure communications.

The updates have been made available about a week after the so-called Freak flaw was made public, and require users to restart their computers and smartphones after installation.

Google patched its Chrome browser and distributed an Android fix last week.

However, the Blackberry 10 browser remains vulnerable.

The Freak flaw was discovered by encryption and security expert Karthikeyan Bhargavan and made public on 3 March.

It lets attackers force data travelling between a vulnerable site and a visitor to use weak encryption.

The theory is that if a hacker combines the technique with what is referred to as a man-in-the-middle attack - allowing them to intercept data - they would find it relatively easy to decrypt the transmission, exposing secrets users had believed to be safe.

A group set up to monitor the impact of the Freak flaw suggested that about 9.5% of the web's top one million websites were susceptible to such attacks.

It has issued a tool that alerts users as to whether their browser is vulnerable.

One cybersecurity expert said the major companies had reacted relatively quickly to the problem.

"Taken as a whole this is a rapid response," said Rik Ferguson, director of security research at Trend Micro.

"A large number of users have the opportunity for protection now, but there's a big difference between the date when a patch is released and when it is implemented.

"Not everyone is going to download and apply the Microsoft, iOS and Mac patches straight away.

"And Android is particularly problematic because Google has to rely on handset manufacturers, and in some cases carriers as well, to make sure the patch gets out to end users.

"This is a textbook example of why a patch isn't the end of the problem."

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites