Apple addresses 'FREAK' attack in latest OS X, Apple TV and iOS security updates

Jump to First Reply
Posted:
in macOS edited March 2015
Apple on Monday rolled out a security update for OS X, as well as separate updates for iOS and Apple TV, that addresses a number of recently discovered vulnerabilities, including a widely publicized SSL/TSL flaw dubbed "FREAK" that could in some cases allow malicious users to intercept secure communications.



Highlighted in a report last week, "FREAK," or "Factoring RSA Export Keys," is a flaw recently discovered in certain embodiments of cryptographic protocols SSL and TLS.

Since Apple's Safari, as well as other Web browsers, rely on these secure connections to transfer data, FREAK leaves systems open to so-called man-in-the-middle attacks that force clients to use a weaker form of encryption than requested during communication sessions. According to Apple, the flaw only affected connections to servers that run certain RSA cipher suites. To rectify the issue, Apple removed support for ephemeral RSA keys, the basis of the vulnerability.

According to Apple's dedicated security updates webpage, FREAK affected not only OS X, but iOS and Apple TV as well. Apple addressed the issue with iOS 8.2 earlier today, while the most recent Apple TV 7.1 update takes care of Apple's set-top streamer.

Alongside the FREAK patch are fixes that affect iCloud Keychain, IOAcceleratorFamily, IOSurface and OS X Kernel Apple said.

Apple's latest OS X Security Update 2015-002 can be downloaded and installed via Software Update.

Comments

  • Reply 1 of 11
    What about 10.10.3 Beta?
     0Likes 0Dislikes 0Informatives
  • Reply 2 of 11
    mpantonempantone Posts: 2,288member

    No one here has the answer to that. Apple does not reveal their software release schedule.

     

    Presumably, the fix will be included shortly in a future release. Users of beta software should be aware that what they are voluntarily running may not be up to production software standards, including security.

     

    If you are running a beta operating system, you should be doing so on a secondary machine or an accessory boot drive/partition.

     0Likes 0Dislikes 0Informatives
  • Reply 3 of 11
    Restart required.
     0Likes 0Dislikes 0Informatives
  • Reply 4 of 11
    What about 10.7.5? I'm on Mid 2007 Black MacBook that cannot upgrade to 10.8-10.10. I wish Apple didn't left us who still use old MacBook out with that serious security breach :(
     0Likes 0Dislikes 0Informatives
  • Reply 5 of 11
    MacPromacpro Posts: 19,864member
    What about 10.10.3 Beta?

    Nothing showing up on any of my 10.10.3 beta machines. Maybe already fixed?
     0Likes 0Dislikes 0Informatives
  • Reply 6 of 11
    MacPromacpro Posts: 19,864member
    texdeafy wrote: »
    What about 10.7.5? I'm on Mid 2007 Black MacBook that cannot upgrade to 10.8-10.10. I wish Apple didn't left us who still use old MacBook out with that serious security breach :(

    Don't use it to send classified information for now.
     0Likes 0Dislikes 0Informatives
  • Reply 7 of 11
    razorpitrazorpit Posts: 1,796member
    I'm not at home at the moment to check my AppleTV 2 but did it receive an update as well?
     0Likes 0Dislikes 0Informatives
  • Reply 8 of 11
    docno42docno42 Posts: 3,761member
    razorpit wrote: »
    I'm not at home at the moment to check my AppleTV 2 but did it receive an update as well?

    As of last night it hadn't. I just checked and it still says I'm up to date but it could have updated automatically. I didn't pay attention to the versions yesterday but as of this morning it says I have OS 7.1.2 and Apple TV Software Version 6.2.1 (click select on the about screen to toggle the OS/ATV Software versions - not sure why they couldn't just put them on their own lines).
     0Likes 0Dislikes 0Informatives
  • Reply 9 of 11
    webweaselwebweasel Posts: 138member
    texdeafy wrote: »
    What about 10.7.5? I'm on Mid 2007 Black MacBook that cannot upgrade to 10.8-10.10. I wish Apple didn't left us who still use old MacBook out with that serious security breach :(

    Then use Firefox. I don't believe it is susceptable to a FREAK attack.
     0Likes 0Dislikes 0Informatives
  • Reply 10 of 11
    arthurbaarthurba Posts: 156member
    Ditto on 10.7.5.

    Lion is still sold in the apple store, so I think it deserves an update:
    http://store.apple.com/product/D6106Z/A/os-x-lion

    Safari Version 6.1.6 (7537.78.2) running on my Lion 10.7.5 MacBook Pro (Retina, 15-inch, Early 2013) Intel Core i7 2.7 GHz - Freak attack client test shows that my Safari browser is vulnerable:
    https://freakattack.com/clienttest.html


    I submitted an AppleCare case (I've still got support till June 2015): Case ID: 761429152

    AppleCare told me to use the 'feedback' link instead, which I've done.

    I've also started a discussion - please follow, see if we can get some attention:
    https://discussions.apple.com/thread/6868310
     0Likes 0Dislikes 0Informatives
  • Reply 11 of 11
    arthurbaarthurba Posts: 156member

    Ditto.  Please follow my discussion:

    https://discussions.apple.com/thread/6868310

     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.