Both Apple and Microsoft have patched the FREAK SSL vulnerability—and Microsoft also addressed Stuxnet vulnerabilities that have gone unpatched for five years.
FREAK allows an attacker to inject code between vulnerable clients and servers, forcing both sides to use weak 512-bit encryption, which can be cracked in a matter of hours—allowing for an MITM attack. FREAK was said to affect around 36% of all sites trusted by browsers, and cloud security firm Skyhigh Networks said that 24 hours after FREAK was made public last week, there were still 766 cloud services at risk from the flaw—with the average company using 122 “potentially vulnerable” services.
“If the website or cloud service you are accessing is built around Apache, and many are, FREAK is a serious vulnerability. Until patches are made, it’s a case of pitting '90s technology against modern hackers—which is no contest,” said Skyhigh Networks’ EMEA strategy director, Nigel Hawthorn.
Apple’s iOS 8.2 release for iPhone addressed both FREAK and a remote restart issue, among other vulnerabilities.
“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites,” Apple said in its advisory. “This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.”
As for the remote restart issue, it would allow an attacker to restart a device via SMS, without user interaction: “A null pointer dereference issue existed in CoreTelephony’s handling of Class 0 SMS messages. This issue was addressed through improved message validation,” Apple’s advisory says.
Apple iOS 8.2 also fixes a vulnerability in the iCloud keychain function.
Meanwhile, Microsoft addressed FREAK in its Patch Tuesday update this week, which included 14 bulletins (five of them rated critical).
The FREAK update addresses a specific security feature bypass vulnerability found in the Windows implementation of SSL/TLS, that enables FREAK attacks.
FREAK aside, the most notable bulletin, however, is a follow-on from Microsoft’s original patch for Stuxnet, which came out in 2010. Two remote code execution vulnerabilities, one of which was used by Stuxnet to attack the Iranian nuclear program in 2009, turn out to have been unpatched for five years.
Also, among the other bulletins are several addressing memory corruption and elevation of privileges vulnerabilities in Internet Explorer.
“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by modifying how the VBScript scripting engine handles objects in memory, by helping to ensure that cross-domain policies are properly enforced in Internet Explorer, and by adding additional permission validations to Internet Explorer,” Microsoft said in its advisory.