Windows iOS BlackBerry Apple Android Microsoft Google

BlackBerry last to close "Freak" vulnerability

posted by Alan F. / Mar 16, 2015, 3:32 PM

Last week, BlackBerry said that it was feverishly working on a patch that would prevent its users from being hacked by a bug called "Freak." This software issue could allow hackers to spy on private communications and could also lead to attacks on web sites. Apple and Microsoft have already sent out software updates to deal with "Freak," while Google said last week that it already has a patch ready to protect manufacturers and carriers who sell Android devices.

BlackBerry spokeswoman Kim Geiger said last week that the company is working on a software update to protect devices that could be affected by this Open SSL exploit which attacks both mobile and desktop browsers. So far, the company says it has not had one customer complain about being affected by "Freak."

Besides attacking elements on a website, the bug can allow hackers to steal your passwords and other personal information. Still, those in the security business say that the odds of users facing an attack from "Freak" is very slim. Ironically, the genesis of the bug is U.S. government policy that prevents higher-grade encryption software from being exported. Instead, weaker software was sent to other countries, recycled, and was placed inside technology that ended up back in the U.S. It is the weaker encryption standard on some browsers that allows these hackers to get their "Freak" on.

The exploit was undiscovered for years until researchers discovered a way to force a browser to use the weaker encryption and eventually break the code in hours. The U.S. government is still trying to weaken strong encryption software that makes it hard for law-enforcement to get what they claim is necessary information. Besides cracking the weaker encryption on a user's browser, the victim would also have to have his intranet compromised.

The list of impacted BlackBerry products includes BlackBerry 10 OS (all versions); BlackBerry 7.1 OS and earlier (all versions); BES12 (all versions); BES10 (all versions); BES12 Client (iOS) (all versions); Secure Work Space for BES10/BES12 (Android) (all versions); Work Space Manager for BES10/BES12 (Android) (all versions); Work Browser for BES10/BES12 (iOS) (all versions); Work Connect for BES10/BES12 (iOS) (all versions); BlackBerry Blend for BlackBerry 10, Android, iOS, Windows and Mac (all versions); BlackBerry Link for Windows and Mac (all versions); BBM on BlackBerry 10 and Windows Phone (all versions); BBM on Android earlier than version 2.7.0.6; BBM on iOS earlier than version 2.7.0.32; BBM Protected on BlackBerry 10 and BlackBerry OS (all versions); BBM Protected on Android earlier than version 2.7.0.6; BBM Protected on iOS earlier than version 2.7.0.32; and BBM Meetings for BlackBerry 10, Android, iOS, and Windows Phone (all versions).

A test conducted by the University of Michigan found that one-third of all encrypted websites are vulnerable to this bug. This type of hacking is popular in countries like China and Iran that spy on online traffic. It also can be used when a hotel guest logs onto the internet whether using a mobile or desktop device.

Thanks for the tip!

source: BlackBerry via WashingtonPost, FinancialPost

Options

14 Comments

1. meanestgenius

Posts: 22212; Member since: May 28, 2014

Old news, and choc full of BS as well. BlackBerry issued a fix for this, and it was seeded out to Z30 owners first, followed by Z10 and Q10 owners. Passport owners now have the update as well. http://utbblogs.com/blackberry/blackberryunleashed/zdnet-blackberry-slow-to-respond-to-freak-flaw-says-it-has-no-fix/#more-20180 It must be "Bash BlackBerry day" here at PA again.

posted on Mar 16, 2015, 3:39 PM 3

3. Mxyzptlk unregistered

Or maybe people haven't heard about it and PA being a tech blog posted about it. PA isn't always credible but take a chill pill and cool off. Don't get so salty about it.

posted on Mar 16, 2015, 5:10 PM 1

10. Phooey506

Posts: 85; Member since: Sep 24, 2014

"Bash BlackBerry day"? The title of the article plainly says that BlackBerry has closed the bug.

posted on Mar 17, 2015, 7:24 PM 0

11. meanestgenius

If you read the article, along with the other nonsense that was posted on the same day about BlackBerry, then you'd know what I was referring to. Furthermore, this article is about a week late. BlackBerry issued a fix last week. Why wasn't it mentioned in the article? Like I said, "Bash BlackBerry Day".

posted on Mar 17, 2015, 7:43 PM 1

2. meanestgenius

http://crackberry.com/blackberry-os-10312558-update-files-now-available-download More information proving that BlackBerry has already released a fix for the "Freak" vulnerability.

posted on Mar 16, 2015, 3:48 PM 2

5. nnik8

Posts: 1; Member since: Mar 16, 2015

Don't forget, a lot of people have a lot of money invested in Apple, BlackBerry's success is a serious threat to them. So when one obscure site starts a bogus rumor it is repeated until it becomes a fact

posted on Mar 16, 2015, 11:29 PM 1

12. Sasparilla

Posts: 6; Member since: Jun 14, 2012

Actually this is not true - the last Mobile Vendor leaving their customers vulnerable to the FREAK vulnerability is Microsoft. Windows Phone 8.1 with the latest patches is still vulnerable. Microsoft only patched desktop Windows.

posted on Mar 17, 2015, 9:23 PM 1

13. JaneChenLong

Posts: 374; Member since: Mar 18, 2015

The article said Apple fix it first, and BB dragging it's feet. Maybe PA just post it a little late. But the main subject here is, BB is not 'first in security' compared to other brand.

posted on Mar 18, 2015, 5:41 AM 0

14. meanestgenius

BlackBerry's position in security compared to others is like night and day. There is no brand that has better security than BlackBerry. If you have proof that there is another brand better, provide links saying so. Otherwise, it's just wishful thinking on your part. The post is very late, and provides no factual information about BlackBerry having a fix already released.