BlackBerry joins the FREAK show

Working on patches now

Richard Chirgwin Tue 17 Mar 2015 // 03:02 UTC

BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible.

The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum key length of 512 bits.

Clients needed a way to tell servers they only accepted export-grade keys – and the code that implemented this has lingered on. In FREAK, a man-in-the-middle (MITM) could tell the server the client only accepts the weaker key, capture traffic using the weak key, and decrypt it later.

In BlackBerry's advisory, it reveals that currently-vulnerable products include the BlackBerry 10 and 7.1-and-earlier OSs, various versions of its Enterprise Server, ditto BlackBerry Messenger on Windows, iOS and Android.

In the clear are:

  • BlackBerry Enterprise Server 5;
  • BlackBerry Universal Device Service;
  • Windows Phone and Android versions of its BES12 client;
  • BBM and BBM Protected on Android, version 2.7.0.6 and higher; on iOS 2.7.0.32 and higher.

While there are no workarounds for the vulnerability, the company says the complex requirements needed to stage a successful MITM attack reduces the immediate risk for clients. ®

5 Comments

Keep Reading

Not one to be outdone by Microsoft, Apple's cloud fell over too. Unlike Microsoft, it hasn't said what happened

Apple TV, iCloud Mail, iWork for iCloud, App Store and more go TITSUP*

Intel, Apple, Cisco, Google sue US Patent Office – Tech police, open up!

Silicon Valley heavyweights demand access to review boards that can shoot down trolls just ahead of trial

Microsoft unveils a Universal version of Office for Apple silicon

Seeking something perpetual for Windows on Arm? You can make do with a 32-bit Intel emulation

Cisco warns VMware vCenter bug puts hyperconverged tin in ‘unrecoverable’ state

Whatever you do, don’t run vCenter Server 7.0 U1 on HyperFlex. Just don’t go there unless you want horrible pain. Clear enough warning?

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

Before you get too excited 1) They're benchmarks 2) New consumer Arm-based Macs might use something else

Cisco restores evidence of its funniest FAIL – ethernet cable presses switch's reset button

At least it’s a better excuse than Switchzilla’s ‘cosmic radiation errors’

Cisco penta-gone from Pentagon as Aruba rolls in a new net

3,000 Wi-Fi access points and 150,000 wired ethernet ports

Microsoft sides with Epic over Apple developer ban, supports motion for temporary restraining order

'Apple’s discontinuation of Epic’s ability to develop and support Unreal Engine for iOS or macOS will harm game creators and gamers,' says Microsoft

Biting the hand that feeds IT © 1998–2020

Do not sell my personal information Cookies Privacy Ts&Cs