Apple to patch 'FREAK Attack' vulnerability in iOS, OS X next week

Attackers can theoretically use FREAK Attack to intercept what should be a secure HTTPS connection — the one with the lock icon in the address bar — and downgrade the encryption to "export-grade", which is much easier to crack. Safari, both on OS X and iOS, among other browsers, can be susceptible to FREAK Attacks, but Apple is aware of the exploit and moving swiftly to patch it:

"We have a fix in iOS and OS X," an Apple spokesperson told iMore, "that will be available in software updates next week."

FREAK Attack stands for "Factoring attack on RSA-EXPORT Keys". The vulnerability has apparently existed for a decade but was only recently discovered and disclosed by researchers. According to the FREAKAttack.com:

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

Here's what website administrators should do:

If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.

They also include a list of websites, some of the internet's largest, known to be vulnerable at the time of the reporting.

The weaker, 512-bit encryption, is called "export-grade" due to a U.S. policy, which ended in the 1990s, that once prohibited the export of strong encryption. It highlights the inherent problem with government demands for lower levels of security and "back doors": Security is only ever as strong as its weakest point. The Wachington Post:

The [FREAK Attack] problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide "doors" into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, said any requirement to weaken security adds complexity that hackers can exploit. "You're going to add gasoline onto a fire," said Green. "When we say this is going to make things weaker, we're saying this for a reason."

In other words, doors open. It's what they're designed to do.

We'll let everyone know as soon as the iOS and OS X patches are live.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

36 Comments
  • FYI, if you're an Android owner, here's what you need to know: (Via WaPo, linked above):
    Google’s Chrome browser is not vulnerable to the FREAK bug, but the browser that comes built into most Android devices is vulnerable. Connections to Google’s search Web site are not affected by the flaw. The company said Tuesday that it has developed a patch for the Android operating system’s browser and has provided it to “partners,” meaning the companies that make most Android devices. It will be up to those companies to deploy it. Security experts have long complained that crucial updates can take months – or never arrive at all – because Google does not control the process of delivering patches to devices running Android.
  • You may want to add that Firefox and Chrome for OSX are not affected by this bug. Just another reason why people should stop using Safari.
  • Chrome is definitely the go-to browser on a desktop Mac so I have it on my Mac Mini. However I had to uninstall it on my MacBook Air because I found it to be a battery drain. Sent from the iMore App
  • Reinstall it and see what extensions you had or have running. I'm saying that because Chrome by itself is a really lightweight browser and shouldn't be eating your battery. Hope it helps :)
  • No it's just Chrome. I use it as a secondary browser and have it running with no extensions. If you check the Activity Monitor and Battery Shaming its consistently one of the largest resourse drains of any basic app.
  • Is Chrome for iOS good too? Posted via the iMore App for Android
  • No, none of the iOS browsers are safe since they all use Safari as the engine.
  • They all use WebKit as the engine, which needs to patch OpenSLL.
  • Strangely enough, I tried out Chrome on iOS today and went to the freakattack.com site just to see if it was iOS or Safari at fault. It showed me Chrome was safe.
  • Really? Gonna check it out. Hopefully its all good. At least there would be an option until the patch is released. Posted via the iMore App for Android
  • Yup, just installed chrome for iOS and the freakattack site is reporting it safe. Sent from the iMore App
  • They don't Safari, they use the open standard WebKit (https://www.webkit.org); which Safari is also built on and other browsers on iOS are locked in and have to use. I understand Google forked WebKit into their own specialized standard for Chrome on the desktop, but could not do so on iOS.
  • Google forked WebKit to make Blink. Apple doesn't allow third-party web engines on iOS, so they use the built-in WebView.
  • And UIWebView, not WKWebView, until this issue is resolved: https://code.google.com/p/chromium/issues/detail?id=423444 But it does not look like it has been touched in 8.1 or 8.2 Sent from the iMore App
  • Where are you getting your information? MacWorld, which I trust a lot more than you, says Chrome for OS X IS vulnerable and that only Firefox is okay for now.
  • Click on the site and it will let you know if your browser is secure. If I'm not mistaken. https://freakattack.com/ Sent from the iMore App
  • Three steps for you: 1) open up Chrome for OSX
    2) go here https://freakattack.com/clienttest.html and see the safe message
    3) stop reading MacWorld as a source of valid information.
  • The site says Chrome isn't affected, but the site also says Chrome is vulnerable, which is probably confusing to a lot of people. Here's the error Chrome generates from FREAK Attack:
    Warning! Your client is vulnerable to CVE-2015-0204. Even though your client doesn't offer any RSA EXPORT suites, it can still be tricked into using one of them. We encourage you to upgrade your client.
  • Here is what we have on our Chrome browsers , Version 41.0.2272.76 (64-bit) Good News! Your browser appears to be safe from the FREAK Attack! Perhaps your browser is out of date?
  • It updates automatically but apparently an app restart is needed to apply the update. So, if you're running Chrome, kill it and restart it to get the patch.
  • Apple should just keep a pile of patches ready so it doesn't take a week to fix something like this!
  • So should Microsoft for Windows Phone... so should every Android phone maker... which as noted in the article - have things that never get fixed because of the distribution process... When something like this comes out about Android or Windows - it's a "dog bites man" story... when there's a story about Apple/iOS/OSX - it's "man bites dog"...
  • You can't keep a patch ready for something you don't know about. The vulnerability was disclosed this week, Apple is patching it next week. It takes time to fix, but it also takes time to test that the fix doesn't break anything else.
  • That time is the most interesting part of the response. When GoogleX waited 91 days after notification to disclose a vulnerability, they were excoriated here for not waiting until 10.10.2. Freak was disclosed - some articles say discovered - yesterday, and there is no comment whatsoever on the timing. More to the point is not the blogosphere' response, but Apple's. Apple unquestionably left vulnerabilities open for 3 months, under the guise of "it takes time," but, on this disclosure deeper down the stack, Apple promises a fix in a week. It is hard not to conclude that Apple does not view bugs not reported in the mainstream tech press as seriously, and that is a very troubling attitude about security. The lesson for any white hat is that if you discover a critical flaw in an Apple product that might be exploitable, run to the press quickly if you want to get it resolved. Lest we let Google off the hook - they claimed 90 days was more than enough time to fix these kinds of holes. They have shifted their mobile resources from Browser to Chrome, but, if they do not patch both (if needed) within that time frame, they are as hypocritical, from the other direction. Sent from the iMore App
  • Occam's razor: This was something that could be fixed and tested by next week, and the context fit the schedule.
  • That's an assumption on facts not in evidence (the schedule), not Occam's razor Sent from the iMore App
  • Schedule over security. Yet another reason to switch from Safari. That said, I'm not sure if Android will ever be fully patched for this exploit (good luck with having HTC offer an update to the original HTC One) so iOS should be far, far ahead of the competition.
  • How could they do that? For every known exploit, there are probably a dozen more they haven't found yet. It's like keeping people in prison and claiming your prison is escape-proof...Some bored mind will always find a way to prove you wrong.
  • No os is perfect. They all have faults no matter what you do. It's like a cat and mouse game. Posted via the iMore App for Android
  • Yeah...that's what I meant; I wasn't singling out Apple, iOS, or Safari. I do wish patches would come out quicker for ALL incidents, though. I still believe that now that Apple is gaining market shares, the number of attacks will increase exponentially. That's the nature of popularity. Same things happen to celebrities, and anything of notoriety.
  • Worst comment ever. On top of what everyone else said, why in the blue hell would anyone create a fix and then just sit on it? Especially if it's a major exploit.
  • @ Rene Ritchie: Your "FYI, if you're an Android owner, here's what you need to know: (Via WaPo, linked above)" was incomplete. It only affects people who are not on KitKat or higher. And if you are not on KitKat or higher, your phone is a cheap, old device that never gets updates and whose browser does not get used anyway.
  • Even if that is accurate — does it affect WebView? — and we don't include AOSP and forks, that's still over 50% of active Android users according to Google: https://developer.android.com/about/dashboards/index.html And blaming customers for the phone they have probably isn't a reasonable response :)
  • When Apple releases a fix for Safari, would this likely be thru a system-wide iOS update requiring iOS8 or will older version be able to receive the patch as well? I have family on older iPhones that can't or don't want to update to iOS 8. If yes, what are the options for them? Posted via the iMore App for Android
  • Apple does not often issue security updates for older iOS versions, but they have done it on occasion: http://arstechnica.com/apple/2014/02/apple-releases-ios-7-0-6-and-6-1-6-... So your friends and family have to hope Apple does it again this time.
  • Damn, that's unfortunate. Thank you for the info! Posted via the iMore App for Android