What is FREAK?
By exploiting the Factoring RSA Export Keys vulnerability in SSL (FREAK), an attacker could intercept the network traffic between entities running any implementation of the vulnerable protocol and decrypt the secure communication. In other words, the attacker is able to act as a man-in-the-middle and decrypt the secure traffic between the client and the server.
The well known OpenSSL library, Apple’s Secure Transport, and Microsoft’s Secure Channel (which is impacting all supported versions of Windows) have all been found vulnerable to this type of attack.
The flaw resides in the fact that the SSL/TLS encryption was forced to use a weaker cipher suite (so called “export grade”) with a 512-bit key that could be broken with today’s technology in a few hours.
Apple is describing the affected area as a “Secure Transport vulnerability which allows an attacker with a privileged network position to intercept SSL/TLS connections”.
The security update 2015-002 which fixes FREAK is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2.
The iOS 8.2 is available for iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.
What should you do?
Apple’s security update for MacOS also includes mitigation for arbitrary code execution by leveraging flaws in iCloud Keychain recovery, IOAcceleratorFamily and IOSurface and the Kernel (OS X Yosemite).
For the iOS, Apple patched bugs in CoreTelephony, which caused the device to restart and buffer overflows in iCloud Keychain which allow an attacker with a privileged network position to execute arbitrary code.
Even if CVE-2015-1067 also known as FREAK is more theoretical than most vulnerabilities affecting the SSL protocol and its implementations (Heartbleed, Poodle), it is strongly advisable to apply the update.
Usually, the update comes over the wire, so follow the known procedures for each device to apply it:
- iOS: go to Settings ->General -> Software Update
- Go to Updates (or Software Updates for older versions) and click Update All.