Apple secures Safari against FREAK attacks
Apple on Monday patched the FREAK flaw in both OS X and iOS, issuing updates for both operating systems to protect users of its Safari browser.
In a pair of accompanying advisories, Apple noted the FREAK fix as one of several in iOS 8.2 and OS X Yosemite, Mavericks and Mountain Lion. The OS X update was labeled 2015-002 to identify it as a multi-edition fix.
“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites,” Apple stated in both advisories. “This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.”
“Secure Transport” is Apple’s name for the API (application programming interface) in iOS and OS X that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols that are standard on the Web for securing communications between devices — primarily through the browsers that run on them — and website servers.
Apple followed Google in patching for FREAK; the search firm’s Chrome browser was updated last week on Windows, OS X and Linux to deal with the bug.
FREAK, for Factoring attack on RSA-EXPORT Keys, was the name assigned last week by researchers from Microsoft and INRIA, a French research institute, to a design flaw that could let cyber criminals silently force a browser-server connection to fall back to long-discarded encryption standards, those guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services.
The most likely assault would be through a classic “man-in-the-middle” (MITM) attack, where attackers insert themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.
Safari, the default browser in iOS and OS X, could be pushed into using weaker cipher libraries, ones that were once the only allowed for export outside the U.S. Although the export rules were gradually relaxed, then largely abandoned, browsers and servers still blithely supported the fall-back.
Computerworld verified that the iOS 8.2 and OS X 2015-002 updates successfully patched Safari against FREAK. Previously, the browser on both operating systems had reported they were vulnerable when tested on FREAKattack.com,, a site maintained by a group of computer scientists at the University of Michigan.
Other browser makers have yet to fix their wares. Google’s Chrome on Android remains vulnerable — although the beta of Chrome 41 is safe — and Microsoft, although it issued an advisory and confirmed that the bug is within Windows, has not rolled out a repair. Microsoft’s Patch Tuesday for the month is tomorrow; there’s an outside chance it will deploy a fix then.
iOS 8.2 patched five additional vulnerabilities, and Security Update 2015-002 fixed four others.
iOS 8.2 can be downloaded over the air from iPhones, iPads and iPod Touches, or though iTunes. From an iPhone, users must touch the “Settings” icon, then the “General” button on the resulting screen. Tapping “Software Update” will kick off the update process.
OS X’s Security Update 2015-002 can be retrieved by selecting “App Store” from the Apple menu, then clicking on the “Updates” icon at the top right of the store’s window.