Patch To Fix FREAK Bug is a Must-Install

John Lister's picture

Microsoft has joined Apple and Google in releasing browser security updates to patch a bug dubbed FREAK. The bug could make it easier for hackers to decrypt data that intercept from website users.

The vulnerability of FREAK doesn't allow hackers to see data in plain sight. Instead, it allows them to remotely change what's meant to be a secure website connection into an unsecure one, meaning that previously encrypted data would then travel without any encryption.

To be of any use, a hacker would need to combine the FREAK exploit with another vulnerability that let them intercept data, for example through another bug with a user's browser, or on the website itself.

If this happened, the hacker would be able to see the content of the data right away rather than have to decrypt it, which would otherwise be a lengthy and difficult process. Nonetheless, the bug is a significant risk, as users naturally tend to be more confident about sending sensitive data to what appears to be a secure website.

Windows Update A Must

Microsoft has issued the patch in its latest 'Patch Tuesday' monthly update. If you don't have your Windows PC set to automatically install that update, this update (numbered MS15-031) is well worth installing manually right away.

Google has released a similar update for Android devices and the Chrome Browser, while Apple has released an update for iPhones and iPads. In both cases, the updates should download and install automatically.

Not Patched: IE for Windows XP, Windows 10 Technical Preview

One key exception is with a version of Internet Explorer in the publicly available 'Technical Preview' test edition of the forthcoming Windows 10, which remains unpatched at press time. It may be worth avoiding this -- or at least not using it for sites that require personal and sensitive data -- until it's fixed, which is likely to be in the next release of the preview. (Source:

It's also noted that this bug will not be patched on systems running Windows XP, as Microsoft no longer supports that operating system. If you run Windows XP, it is recommended that you upgrade to an operating system that is actively receiving security updates.

Test Your Browser Against FREAK Attack

For added reassurance, you can visit and check the top line for a message about whether the browser you are using is vulnerable to the loophole.

Bug Dates Back To 1990s

The FREAK bug has been particularly controversial, as it appears to be an unforeseen consequence of a 1990s US government policy. At the time, the policy required American developers exporting software to include a 'weak-point' that would allow security services to more easily intercept and read data when tracking suspects.

Not only did officials believe this weak-point would remain secret, but it was set up in a way that it could only be exploited with the type of mammoth computing power available to the US government. However, the growth of computing capabilities in the past two decades means almost any individual with the right technical know-how could easily exploit FREAK with ordinary desktop computers. (Source:

What's Your Opinion?

Do you set your operating system and browser to automatically install security updates? If not, how do you go about deciding which ones to install? Do you think major software firms do a good enough job keeping users informed about the relative importance of different security threats?

Rate this article: 
Average: 5 (8 votes)


JeffRL's picture

I use Windows 7 Home Premium. I have it set to tell me when updates are available to install, but I download and install them manually. I do it that way so I don't get interrupted while I'm doing something and I can control when I download and install them. I check at least once a day and I always make sure to get the "patch Tuesday" updates on the same day they become available. Most of the daily checks just concern Microsoft Security Essentials updates, but occasionally there's one for Windows or IE or something else.

I also always check for more updates after installing updates because sometimes there are more that weren't included in the initial check. Presumably, the second ones are only applicable because of installing the first set, but why Microsoft doesn't include them with the first set is something I can't answer. However, it happens often enough that checking again for more updates has been part of my standard routine for a long time.

4jaj_4254's picture

I use Firefox under W7, both auto-updated.
Should I do more?