Posted on 03/07/2015 5:30:46 PM PST by dayglored
Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk.
The news was a turnabout from earlier in the week, when researchers initially fingered only Apple's iOS and OS X and Google's Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers.
By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month.
In a security advisory released Thursday, Microsoft said Windows was, in fact, vulnerable to FREAK (Factoring attack on RSA-EXPORT Keys).
"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Microsoft said in the advisory. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."
...
(Excerpt) Read more at computerworld.com ...
Isn’t the fix out?
Oh, is that all ..??????
Move along .. nothing to see here.
I’ve had two serious Windows security updates recently, so it may have already been taken care of. I’ve not received any notice from Windows .. which I have had before when a serious issue was unfolding.
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
Windows XP? Well if you’re trying to compare operating systems. What version of OSX or was it OS 9 back when XP launched... See if Apple fixes it for that os.
Our see if any Linux distro that was out 12 years ago gets a patch. Our Amy Android...oops Android want even out them so does the first Android version get a patch from Google? Seriously I don’t know will Google patch EVERT version of Android?
Well, YEAH! What fun is there in THAT!?
After all, I’m playing WoTBlitz, watching the Duke/UNC game, AND checking out interesting FR articles. You really can’t expect me to click through to the article now, can you!?
;-P
Nice graphic. Thanks!
Well, let's see. Windows XP was released on October 25, 2001, Apple OS X.0 was released on March 24, 2001. . . so those would be comparable. However, Windows XP was superseded by Windows Vista on January 30, 2007. At that time Apple was still shipping OS X.4 Tiger. It was superseded By OS X.5 Leopard on October 7, 2007. So, In answer to your question, Tiger is no longer supported with security updates and the Safari version that shipped with it will not be fixed. However, Any Mac using OS X.6 "Snow Leopard" which was released on August 28, 2009, or later will be receiving an update to fix the issue.
That being said, according to Chitika, the percentage of Apple Mac users who are still using OS X.5 Leopard or older is less than 2%. On the other hand, for-q-clinton, they report that almost 19% of Windows users are still using Windows XP!
> Windows XP? Well if youre trying to compare operating systems.
No, I wasn't comparing operating systems whatsoever. You missed the point. The point was that XP is obsolete and won't get patched. However, with ONE IN FIVE -- 20% of Windows users STILL USING XP, I thought a word of warning was the least I could do.
> What version of OSX or was it OS 9 back when XP launched... See if Apple fixes it for that os.
Are you joking? Or drunk? This has absolutely nothing to do with Apple or OS-X. Were you conscious between 2004 and 2012?
The problem with XP was that Microsoft royally screwed the pooch, multiple times, and had to keep XP alive because they produced "follow-up" releases that were so unacceptable, so flawed, that nobody wanted them, even when Microsoft tried to force them down their customers' throats. As a result Windows users stayed with XP much longer than they ever should have. Windows 7 was a winner, but 6 years after it was released, XP still has 20% of the users. That's how badly Microsoft screwed up.
To imply that Apple should have done the same thing is not only missing the point, it's over-the-top nuts.
> Our see if any Linux distro that was out 12 years ago gets a patch.
Oh, for-q. This is the same issue, and you have the same confusion. You -are- confused, right? Not drunk? Just sayin'.
> Our Amy Android...oops Android want even out them
Hmmm, maybe you ARE drunk.
> so does the first Android version get a patch from Google? Seriously I dont know will Google patch EVERT version of Android?
Why are you going on like this? Please, go back to sleeping, or drinking, or whatever it was you were doing. Thanks.
And while you're at it, make sure you aren't running XP. Upgrade at least to Windows 7 -- it's a wonderful operating system. I have 5 instances of it (three at home, two at work) that I use daily. It rocks.
I'm looking out for you, for-q. You sound like a person who needs help. Take care and have a great evening.
Ping to my comment #30 above, almost time-coincident with yours.
Google's Android model is that it is not Google's job to patch the devices made by its Android partners. it's the manufacturers of the devices' and the carriers' job to patch their devices. Many of them made devices that are not even capable of being upgraded, much less being patched.
Note that the chart above says the patch is "in the hands of the carriers and the device makers." Good luck with all those devices getting patched.
I’m told that one can get updates for XP, there’s some method of convincing Microsoft that your XP is running an ATM, for that application the updates continue uninterrupted.
That's true. You can pay Microsoft a hefty fee, or you can be one of their Very Special Customers, or you can convince them that you're an ATM.
Now think. First, unless your XP instance is embedded in, say, an industrial tool from an out-of-business manufacturer, and you have the option of running it without an Internet connection (for safety), why in the world would you want to do that? Windows 7 is a much better OS, and done properly, switching to it from XP is relatively painless. (Windows 8 is another screwed-the-pooch, we won't talk about that.)
Second, the 20% of users who are still running XP are STILL ON THE INTERNET -- the surveys that check what OS people are using are done over the Internet. So that 20% DOES NOT count the embedded, off-line instances. Who knows how many of those there are?
I do not believe it is prudent to continue using XP, and we're way past the point where I feel comfortable encouraging anyone, especially FReepers whom I consider my friends, to continue using XP, especially if they're getting on the Internet.
So while what you say is true, I consider it bad advice to follow that path.
Between us, he may pickup half a clue. . . but I have my doubts. There is a certain mind set that just cannot see beyond their irrational MAPS (you know my girlfriend's and my definition of that diagnosis).
I kind of doubt that Microsoft would be coming out with a patch for Internet Explorer for an ATM. Kinda hard to picture an ATM freely browsing the internet.
WAY worse things can already happen to you than an obscure MITM attack while using a public wifi net in a coffee shop, hotel or such.
Just a secondary point to what you said, dayglo:
Microsoft CAN NOT patch XP (or Windows Server 2003 for that matter). If you are on XP, you are vulnerable to this exploit. It's not a matter of if, but when.
Bottom line, this exploit throws into question the very nature of secure computing on the Internet. Unless everything you do on your XP machine is "wide open" and unencrypted already (i.e. browsing everyday sites like FR), then you must question whether or not your connection is secure. Banking, secure logins to sites like those for your retirement, investments, secure logins for media sites like YouTube, Facebook, and Twitter... ALL of it.
You don't "get" a bug. It's not like a virus or malware. This is an exploit that means that the secure channel you establish with your bank, for instance, can be compromised, en route, and from your machine, it could look like you're communicating securely with your bank, when in reality you're passing all of your clicks and typing to a third party. This is known as a "man in the middle" attack. There's no "tell" if it's happening to you, before or after. You'll wake up one morning, you bank accounts will be drained, your email will be compromised, everything secure will be compromised.
The article, as well as several security sites, state that Firefox is not affected.
Firefox is essentially its own little operating system. Everything about it, its cryptographic suite, its execution environment, runs in a sequestered workspace. Further, Mozilla, while recently coming under attack from consumers for "breaking the Internet," has been at the forefront of locking down their browser. The reason why FF can be clunky or inoperable in some ways is due to their methodologies. They are focused on safety over functionality. Its one of the reasons I've stuck with them over the years.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.