Apple Patches FREAK, Fixes Other Vulnerabilities

By Sean Michael Kerner  |  Posted 2015-03-10 Print this article Print
Apple security

The FREAK SSL/TLS vulnerability and four other issues get patched in Mac OS X security update.

While many Apple watchers were busy learning about the new Apple Watch on March 9, the company was busy patching its existing products. Apple released Security Update 2015-002, fixing five vulnerabilities in the Mac OS X operating system. The company also released iOS 8.2, which provides users with Apple Watch capabilities, as well as six security updates.

The most notable of the updates is one for the so-called FREAK vulnerability (factoring attack on RSA-EXPORT Keys) that was first publicly disclosed on March 3. In Apple's security update, the fix for FREAK is identified as an update for Apple's Secure Transport mechanism. The FREAK flaw fix is included in both the OS X and iOS 8.2 security updates.

"Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites," Apple warned in its advisory. "This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys."

In addition to the FREAK fix, there are two patches for vulnerabilities that were reported to Apple by way of the Google Project Zero research effort.  One of those issues is identified as CVE-2015-1061 and is a vulnerability in the IOSurface framework that affects both iOS and OS X. The impact of the flaw could have potentially enabled a malicious application to execute arbitrary code. Google Project Zero is also credited with reporting CVE-2015-1066 in the IOAcceleratorFamily component in OS X, which also could have potentially led to arbitrary code execution.

Additionally, the Mac OS X kernel is getting patched for a vulnerability identified as CVE-2014-4496 that could have allowed malicious applications to determine addresses in the kernel.

"The mach_port_kobject kernel interface leaked kernel addresses and heap permutation value, which may aid in bypassing address space layout randomization protection," Apple warned in its advisory.

Both OS X and iOS are also being patched for a vulnerability in the iCloud Keychain, which is a feature that is used to safely store usernames and passwords.

"Multiple buffer overflows existed in the handling of data during iCloud Keychain recovery," Apple warned. "These issues were addressed through improved bounds checking:"

iOS 8.2 also includes a patch for a flaw in the CoreTelephony library identified as CVE-2015-1063, which could have potentially enabled a remote attacker to trigger an iOS device to restart, after receiving a malicious short Message Service (SMS) text. Another fix is in the MobileStorageMounter component in iOS 8.2, which is being updated to protect against the CVE-2015-1062 vulnerability that could have potentially enabled a malicious application to create folders in trusted locations in the file system.

The last security patch in the iOS 8.2 update is for the CVE-2015-1064 vulnerability that impacts the home screen on iOS devices.

"A person with physical access to the device may be able to see the home screen of the device, even if the device is not activated," Apple warned.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel