FREAK is a major security flaw recently discovered that left users of Apple and Google devices exposed to MITM attack while visiting supposedly secure Websites. At the same time Microsoft issued a specific security advisory to inform its users that almost every operating system of the company was affected by FREAK.
The IT giants immediately started the necessary activities to fix the issue in their products.
Apple has released the iOS 8.2 version for its mobile devices, iPhones and iPads, to avoid that is users could be victims of MITM attacks.
“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys,” reads the Apple advisory.
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.” states the advisory note issued by the company, which confirmed that the flaw affects iPhone 4s handsets and later, iPod touch (5th generation) and later, and iPad 2 and later.
The update issued by the company also fixed another bug, in CoreTelephony’s handling of Class 0 SMS messages, that allowed a remote attacker to restart a targeted iPhone with a specifically crafted SMS.
Microsoft has not been stopped and took its precautions to protect their users. The company released a fix for the FREAK vulnerability spread across 14 security bulletins.
“Vulnerability in Schannel Could Allow Security Feature Bypass (3046049) – This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.” states the description for the Bulletin MS15-031 rated as critical.
(Security Affairs – FREAK, security)