Security News

Apple Releases FREAK Fix for OS X, iOS and Apple TVs

Posted on March 10th, 2015 by

Apple releases FREAK fix for OS X, iOS and Apple TVsAmongst all the hullabaloo about the new Apple Watch, you might have missed that Apple has also released a patch for the FREAK vulnerability.

The FREAK (Factoring attack on RSA-EXPORT Keys, also known as CVE-2015-0204) vulnerability, short for Factoring attack on RSA-EXPORT Keys, could make it possible for an attacker to decrypt and monitor your HTTPS-protected communications.

The problem wasn't just limited to users of Apple devices and operating systems. For instance, last week Microsoft revealed that Windows users were also at risk from the flaw which has lain unnoticed for years.

The good news is that today Apple pushed out security update 2015-002 for OS X users, and similar patches for Apple TV and iOS.

OS X update

Here's what Apple had to say about the FREAK fix for OS X:

Secure Transport
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2

Impact: An attacker with a privileged network position may intercept SSL/TLS connections

Description: Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.

We should be grateful that Apple appears to have resolved the FREAK vulnerability for its users in a relatively short amount of time.

Of course, this isn't the only security patch included in the latest updates for OS X, iOS and Apple TV.

For instance, the latest iOS update includes a fascinating fix for a vulnerability that could have allowed hackers to remotely restart a victim's iPhone by sending a specially-crafted SMS message.

But none of the other bugs are likely to make the same number of headlines as FREAK achieved when it was revealed earlier this month.

For once I feel I'm quite entitled to suggest that you update your computers, your smartphones and your Apple TV with the latest security patches and then... "get the freak out." 🙂

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • google user 2014

    Thanks for your article! May I ask, do you recommend OSX users to upgrade to the Yosemite version? Thank you!

  • Way_Back_When

    Any chance Apple will also patch iOS 7.1.2 for the 25% of us not running iOS 8? Is there a reason Safari cannot be patched?

  • Al Varnell

    Note that Apple patched the CVE-2015-1067 vulnerability of iOS, OS X and Apple TV, which is not the same as CVE-2015-0204 involving OpenSSL versions before 0.9.8zd, 1.0.0p, and 1.0.1k. The Security Update 2015-002 did not provided updated versions of openssl.