FREAK SSL/TLS Vulnerability

Original release date: March 06, 2015

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

Users and administrators are encouraged to review Vulnerability Note VU#243585 for more information and apply all necessary mitigations as vendors make them available. Users may visit freakattack.com to help determine whether their browsers are vulnerable. (Note: DHS does not endorse any private sector product or service. The last link is provided for informational purposes only.)


This product is provided subject to this Notification and this Privacy & Use policy.


We Have Now Helped Get 16 WordPress Plugin Vulnerabilities Fixed

It has now been a little over three months since we introduced our Plugin Vulnerabilities plugin amid our renewed effort to improve the security of WordPress plugin and it seems like a good time to provide on what we have accomplished so far. For years we have discussing the problem that many publicly disclosed vulnerabilities existed in the current version of WordPress plugins and that those plugins were still available on the WordPress.org Plugin Directory. That obviously is bad sign for the overall security of WordPress plugins since making sure that known vulnerabilities get fixed is a low rung of making sure that plugins are secure. In the past we hadn’t kept track of how many of these vulnerabilities we had some part in getting fixed, but when we started working on the new plugin we started tracking that. This week two more of the plugins got fixes bringing the total to 16 vulnerabilities fixed in as many plugins. Developers of two more plugins have indicated that vulnerabilities in their plugin will be fixed in upcoming releases.

One of the vulnerabilities fixed this week gives an indication of how poor the situation still is years after we first noticed it. Back on September 1 a vulnerability was publicly disclosed in the Easy Media Gallery plugin, which has 10,000+ active installs. The person disclosing the vulnerability decided not to inform the developers beforehand and it would appear no one else bothered to either considering that a fix was released within two day of us informing them on Monday. It wasn’t a case that no one else saw the post as there are several comments and two follow up posts have comments from people complaining the discoverer is not informing developers of the vulnerabilities.

The first comment on that post ties into another troubling issue that we have seen in the vulnerabilities fixed. The commentor mentions that they would inform the developers of WPScan, which they describe as a ” black box WordPress vulnerability scanner”, of the vulnerabilities. The commentor did in fact do that.  It would appear that WPScan folks didn’t inform the developer of the vulnerability either. That certainly wouldn’t be the first time, as previously discussed in another situation they disclosed a serious vulnerability in a plugin but didn’t bother to inform the developer, which meant that like this vulnerability, it wasn’t fixed. We also found that they put vulnerabilities in their database, but don’t inform the developers of them, so that people with malicious intent are aware of vulnerabilities but everyone else is left vulnerable.

While just informing the developers of the vulnerabilities can in many cases get the vulnerability fixed quickly we have found that in other cases that isn’t enough. For example, in the case of the Xcloner plugin it required the Plugin Directory having removed the plugin, after we reported it to them, for the developer to finally fix the vulnerability. In other cases we have found that despite discoverer of the vulnerability and the developer of the plugin saying the vulnerability had been fixed, it actually wasn’t. But our checking, done while determining what versions are vulnerable when adding the vulnerability to the Plugin Vulnerabilities plugin, have led to the vulnerabilities actually getting fixed.

If you run across a report of a vulnerability in the current version of a WordPress plugin please make sure to inform the developer of the plugin and or the people running the Plugin Directory. You can also let us know by leaving a message in the support forum for Plugin Vulnerabilities or sending an email to [email protected], which will allow us to add the vulnerability to our plugin and make sure that the vulnerability is handled properly.

Two weeks on, Superfish debacle still causing pain for some Lenovo customers

It has been a rough couple of weeks for Lenovo since revelations surfaced that the PC maker was selling notebooks pre-installed with dangerous, HTTPS-breaking adware. Initially, the company said the Superfish ad-injector posed no threat, a position it quickly reversed. Then, company officials issued a mea culpa that said the company stopped bundling the software in December. For customers who remained vulnerable, executives promised to release a removal tool that would delete all code and data associated with the adware.

Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed."

Read 5 remaining paragraphs | Comments