Apple Patches FREAK, Fixes Other Vulnerabilities
The FREAK SSL/TLS vulnerability and four other issues get patched in Mac OS X security update.While many Apple watchers were busy learning about the new Apple Watch on March 9, the company was busy patching its existing products. Apple released Security Update 2015-002, fixing five vulnerabilities in the Mac OS X operating system. The company also released iOS 8.2, which provides users with Apple Watch capabilities, as well as six security updates. The most notable of the updates is one for the so-called FREAK vulnerability (factoring attack on RSA-EXPORT Keys) that was first publicly disclosed on March 3. In Apple's security update, the fix for FREAK is identified as an update for Apple's Secure Transport mechanism. The FREAK flaw fix is included in both the OS X and iOS 8.2 security updates. "Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites," Apple warned in its advisory. "This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys." In addition to the FREAK fix, there are two patches for vulnerabilities that were reported to Apple by way of the Google Project Zero research effort. One of those issues is identified as CVE-2015-1061 and is a vulnerability in the IOSurface framework that affects both iOS and OS X. The impact of the flaw could have potentially enabled a malicious application to execute arbitrary code. Google Project Zero is also credited with reporting CVE-2015-1066 in the IOAcceleratorFamily component in OS X, which also could have potentially led to arbitrary code execution.
Additionally, the Mac OS X kernel is getting patched for a vulnerability identified as CVE-2014-4496 that could have allowed malicious applications to determine addresses in the kernel.