Apple nixes FREAK SSL bug in iOS 8.2, OS X and Apple TV

Apple released a new iOS update that prepares iPhones for the Apple Watch but also fixes serious security bugs, including the recently discovered flaw known as FREAK.

Even if iPhone owners aren’t interested in Apple’s new wearable, they should still install iOS 8.2, the iOS update released by Apple on Monday that adds support in iOS for Apple Watch and a host of important security updates.

The security component of iOS 8.2 removes support for the recently that allows man-in-the-middle attackers to force clients, such as a browser, and servers to use weak encryption.

The bug affected multiple browsers, including Apple’s Safari on iOS and the OS X and apparently Apple TV.

The flaw was an overlooked remnant of a US law in the 1990s that restricted the export of strong RSA encryption keys and remained supported in many browsers. In Apple’s case, its Secure Transport protocol supported the weak export grade RSA cipher suites.

“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys,” Apple explained of the fix.

Apple's security update 2015-002 for OS X removes support for the weak keys in OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2. The Apple TV 7.1 update removes support for bug in third generation Apple TV and later.

There was only one remotely exploitable iOS 8 bug fixed in iOS 8.2, which was reported by Swedish researcher Roman Digeberg in January. That stemmed from the way CoreTelephony in iOS 8 handles “Class 0” or Flash SMS messages. As Digeberg demonstrated, a remote attacker could use the flaw to crash an iPhone and cause it to restart.

Another fix for iOS addressed multiple buffer overflow flaws in iCloud Keychain that could allow an attacker with a privileged network position to take control of an iPhone. The same flaw was fixed in OS X Yosemite.

Read more: Pervasive technologies and its implication on security

Ian Beer, a member of Google’s Project Zero crack team of hackers, is credited with the discovery a flaw affecting IOSurface in iOS and OS X Mountain Lion, Mavericks and Yosemite. "A malicious application may be able to execute arbitrary code with system privileges,” said Apple.

Additional fixes in iOS 8.2 include one for a flaw that would have allowed malware to create folders in trusted locations on the file system and another bug that could let a person with physical access to the device see its home screen even if the device is not activated.

Apple security update for OS X includes fixes for total of five flaws affecting OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2. The update for Apple TV addresses three flaws. It also released two fixes for five separate bugs in versions of XCode earlier than 6.2, which was released on Monday.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Apple TViOS updateOS XOS X Mountain Lionsecurity updatesMavericksYosemiteRoman DigebergFREAKSSL bug iOS 8.2RSA encryption keysiCloud KeychainApple nixesserious security bugsCoreTelephony

Show Comments