The FREAK (Factoring attack on RSA-EXPORT Keys, also known as CVE-2015-0204) vulnerability, short for Factoring attack on RSA-EXPORT Keys, could make it possible for an attacker to decrypt and monitor your HTTPS-protected communications.
The problem wasn’t just limited to users of Apple devices and operating systems. For instance, last week Microsoft revealed that Windows users were also at risk from the flaw which has lain unnoticed for years.
The good news is that today Apple pushed out security update 2015-002 for OS X users, and similar patches for Apple TV and iOS.
Here’s what Apple had to say about the FREAK fix for OS X:
Secure Transport
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2Impact: An attacker with a privileged network position may intercept SSL/TLS connections
Description: Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.
We should be grateful that Apple appears to have resolved the FREAK vulnerability for its users in a relatively short amount of time.
Of course, this isn’t the only security patch included in the latest updates for OS X, iOS and Apple TV.
For instance, the latest iOS update includes a fascinating fix for a vulnerability that could have allowed hackers to remotely restart a victim’s iPhone by sending a specially-crafted SMS message.
But none of the other bugs are likely to make the same number of headlines as FREAK achieved when it was revealed earlier this month.
For once I feel I’m quite entitled to suggest that you update your computers, your smartphones and your Apple TV with the latest security patches and then… “get the freak out.” 🙂
