Apple, Google create fixes for ‘Freak’ security bug

BOSTON — Apple and Google said they have developed fixes to mitigate the newly-uncovered “Freak” security flaw affecting mobile devices and Mac computers.

The vulnerability in Web encryption technology could enable attackers to spy on users’ communications on Apple’s Safari browser and Google’s Android browser, said researchers who uncovered the flaw.

Apple spokesman Ryan James said the company had developed a software update to fix the vulnerability and that it would be pushed out next week.

Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive the upgrades.

Google typically does not directly push out Android software updates. Instead, they are handled by device makers and mobile carriers.

A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Mr Matthew Green, a computer security researcher at Johns Hopkins University.

Researchers blame the problem on an old government policy, abandoned over a decade ago, which required US software makers to use weaker security in encryption programmes sold overseas because of national security concerns.

Many popular websites and some Internet browsers continued to accept the weaker software, or can be tricked into using it, said experts at several research institutions who reported their findings on Tuesday. They said that could make it easier for hackers to break the encryption that prevents digital eavesdropping when a visitor types sensitive information into a website. That could allow hackers to steal data and possibly launch attacks on the sites themselves by taking over elements on a page.

Some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned that those policies could inadvertently provide access to hackers.

“This was a policy decision made 20 years ago and it’s now coming back to bite us,’’ said Mr Edward Felten, a professor of computer science and public affairs at Princeton.

About a third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some government agencies, the researchers said. University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple’s browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla. Agencies