Apple and Microsoft have joined Google in releasing security updates for the so-called Freak security vulnerability a week after it was revealed by security researchers.
The Factoring attack on RSA-Export Keys (Freak) was introduced by old US export policies requiring weaker encryption.
Researchers found the decade-old vulnerability could be exploited by attackers to conduct man-in-the-middle attacks on https connections between vulnerable devices and websites.
They found that, once intercepted, the connections can be forced to use “export-grade” cryptography, even if the weak algorithms are disabled by default.
This means the latest flaw to be found in SSL/TLS could allow unauthorised parties to spy on supposedly secure internet communications.
Initially, only browsers in Android and iOS devices appeared to be vulnerable, but days later Microsoft said in a security advisory that all supported versions of its Windows operating system were also vulnerable.
Google and Apple quick to issue fixes
Google was the first to issue a security update to Android suppliers. Now Apple and Microsoft have followed suit.
Apple released security update 2015-002 for OS X users and similar patches for Apple TV and iOS in the latest updates for the software.
The OS X update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2.
“We should be grateful that Apple appears to have resolved the Freak vulnerability for its users in a relatively short amount of time,” independent security consultant Graham Cluley wrote in a blog post.
Cluley noted that the latest iOS update includes a fix for a vulnerability that could have allowed hackers to remotely restart a victim’s iPhone by sending a specially-crafted SMS message.
Microsoft’s response to Freak
Microsoft also responded quickly, managing to include a fix for the Freak vulnerability in its monthly security update for March 2015.
The updates also included a fix (MS15-018) for a number of critical Internet Explorer vulnerabilities in IE6 and later versions, including the “Universal XSS” vulnerability that could be exploited to launch phishing attacks and inject malicious code into users’ browsers.
MS15-019 fixes a vulnerability in the VBScript scripting engine in Microsoft Windows, which could have allowed malicious code to execute on users’ computers.
MS15-020 fixes vulnerabilities in Microsoft Windows that could allow remote code execution, which Cluley noted is a similar vulnerability to one exploited by the Stuxnet worm.
MS15-021 fixes vulnerabilities in Adobe Font Driver that could allow remote code execution, and MS15-022 fixes vulnerabilities in Microsoft Office that could allow remote code execution.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK