Apple has published its second major security roll-up package of the year, Security Update 2015-002, which contains fixes for multiple versions of OS X stretching from Mountain Lion 10.8.5 to Yosemite 10.10.2. These updates mitigate threats from several different vulnerabilities, but the most notable is a fix that will inoculate Safari users against the so-called “FREAK” SSL/TLS exploit (CVE-2015-0204, although at publication time the Apple page shows CVE-2015-0167 as the CVE ID for FREAK).
First publicized a week ago, the “FREAK” vulnerability can be used by an attacker to force someone’s SSL/TLS connection to a Web server to use a weak 512-bit key, which the attacker can then factor with a relatively trivial amount of work and thereby decrypt and/or modify the supposedly secure connection. The vulnerability affects OS X, iOS, Android, and Windows devices. The acronym “FREAK” stands for “Factoring attack on RSA-EXPORT Keys,” which references the fact that the 512-bit weak keys are so-called legacy “export-grade” keys mandated for use in the 1990s with cryptographic hardware and software built in the US but intended for sale outside of the country.
Apple promised a fix within a week, and true to the company’s word, the patch for the vulnerability arrived today. OS X users browsing the Web with updated versions of Chrome and Firefox were already immune (Firefox appeared to be immune to start with, and Chrome was patched last week), but Safari users were open to attack until today. After installing the 2015-002 update, this is no longer the case, and all three mainstream Web browsers on OS X are now secure.