Apple has released security updates for OS X and iOS which, among other things, fix the FREAK flaw that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
“Secure Transport [the Mac OS X and iPhone implementation of SSL and TLS] accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys,” the company explained in the documents accompanying the updates.
In the case of OS X, the update solves several other serious flaws, most of which can allow arbitrary code execution. The patch for Secure Transport is available for OS X Mountain Lion (v10.8.5), OS X Mavericks (v10.9.5), and OS X Yosemite (v10.10.2).
The iOS update is has been in development for a several months and it’s available for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.
It addresses the FREAK flaw, but also five other security issues.
Users are advised to update their OSes as soon as possible. If you want to make sure that the update has solved the FREAK bug, you can visit this page set up by researchers and it will tell you if you’re safe or not.