Wednesday, 4 March 2015

Smack vulnerability

Yesterday a security vulnerability was discovered in technology used in OpenSSL clients and Apple TLS/SSL clients. The Smack, State Machine AttaCK, vulnerability as it’s known, allows a man in the middle attack to take place when both a client and the server it is communicating with have susceptible software.


What to do about it:

The likelihood of attack is low and patches are already available. The most important thing is to patch your web browser and plugins. This vulnerability does affect Java and so it’s really important that you check your version of Java and update it to the latest version.


If you use CIS or MyApps then you may need to modify your settings after patching, information on how to do this can be found at:


If you patch your computer regularly then you will be fine. We recommend that you set your computer to check for and install updates automatically.



Servers - Information for technical staff

There is also a server side aspect to this vulnerability called the Freak attack.


If you administer a server that provides secure connections then you should check to make sure it is not offering, or accepting, cipher suites or certificates that are now considered insecure. You can run a quick health check on the configuration of your server at https://www.ssllabs.com/ssltest/analyze.html