The Mac Security Blog

Security News

Apple Releases FREAK Fix for OS X, iOS and Apple TVs

Posted on by

Apple releases FREAK fix for OS X, iOS and Apple TVsAmongst all the hullabaloo about the new Apple Watch, you might have missed that Apple has also released a patch for the FREAK vulnerability.

The FREAK (Factoring attack on RSA-EXPORT Keys, also known as CVE-2015-0204) vulnerability, short for Factoring attack on RSA-EXPORT Keys, could make it possible for an attacker to decrypt and monitor your HTTPS-protected communications.

The problem wasn’t just limited to users of Apple devices and operating systems. For instance, last week Microsoft revealed that Windows users were also at risk from the flaw which has lain unnoticed for years.

The good news is that today Apple pushed out security update 2015-002 for OS X users, and similar patches for Apple TV and iOS.

OS X update

Here’s what Apple had to say about the FREAK fix for OS X:

Secure Transport
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2

Impact: An attacker with a privileged network position may intercept SSL/TLS connections

Description: Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.

We should be grateful that Apple appears to have resolved the FREAK vulnerability for its users in a relatively short amount of time.

Of course, this isn’t the only security patch included in the latest updates for OS X, iOS and Apple TV.

For instance, the latest iOS update includes a fascinating fix for a vulnerability that could have allowed hackers to remotely restart a victim’s iPhone by sending a specially-crafted SMS message.

But none of the other bugs are likely to make the same number of headlines as FREAK achieved when it was revealed earlier this month.

For once I feel I’m quite entitled to suggest that you update your computers, your smartphones and your Apple TV with the latest security patches and then… “get the freak out.” 🙂

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →