14 DAY TRIAL // New security patches have been released by Apple for its OS X and iOS products, one of them being deadly for the FREAK vulnerability in Secure Transport, the developer’s implementation of the SSL/TLS cryptographic protocols.
FREAK (Factoring RSA Export Keys) vulnerability was disclosed last week by security researchers at INRIA and Microsoft Research; it allows an attacker in the position of intercepting network traffic to decrypt the secure communication between the client and the server.
The FREAK vulnerability
The flaw resides in the fact that the SSL/TLS encryption was forced to use a weaker cipher suite with a 512-bit key that could be broken with today’s technology in little over seven hours and a cost of just $100 / €93.
The weak key was part of a policy from 1990 that required hardware and software products exported outside the US to include a less secure cipher to allow the government to decrypt foreign communication.
Although the specification is no longer used, an attacker could inject packets into the traffic and enable it, thus weakening the encryption. The weak encryption was labeled “export-grade” and the cipher suites were appended the “EXP” prefix to distinguish them from their variant using a stronger key.
OpenSSL, Apple’s Secure Transport and Microsoft’s Secure Channel (impacting on all supported versions of Windows) have been found vulnerable to this type of attack.
Apple's update covers both mobile and desktop platforms
On Monday, Apple rolled out a fix for the vulnerability affecting Safari, which is identified as CVE-2015-1067 for iOS and OS X products.
On desktop, the patch is available for OS X Mountain Lion (10.8.5), Mavericks (10.9.5) and Yosemite (10.10.2). For its mobile platform, Apple produced the fix for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and above.
“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys,” reads Apple’s description for the update.
Android clients connecting to vulnerable servers via the stock browser or the Chrome variant for mobile are susceptible to FREAK attack.
Although for the OS X version of Chrome, Google issued an update that mitigates the risk, a patch is also expected for the mobile browser. Microsoft is also expected to release a patch for Windows.
Apple's security update also includes mitigation for arbitrary code execution by leveraging flaws in iCloud Keychain recovery, IOAcceleratorFamily and IOSurface and the Kernel (OS X Yosemite).
For the mobile platform, the developer also pushed patches for a glitch in CoreTelephony, which caused the device to restart, and for MobileStorageMounter, which allows the creation of folders in trusted locations in the file system.