​FREAK no more: Apple, Cisco swat the latest SSL bug

The FREAK clean-up continues with Cisco and Apple releasing fixes almost in unison with Microsoft and Google.
Written by Liam Tung, Contributing Writer

Apple and Cisco have rolled out fixes for FREAK, the latest widespread bug that threatens encrypted communications. Cisco is also investigating whether the 'rowhammer' DRAM bug, which was detailed by Google this week, affects any of its products.

Along with the FREAK fix that Apple rolled out this week for its Watch-ready iOS update, Apple has now pushed out fixes for FREAK in Mac OS X and Apple TV devices across the globe.

The widely reported bug is a hangover from lawful efforts in the 1990s to make it easier for the NSA to conduct surveillance on web users outside of the US by exporting weaker encryption products.

The bug first came to light in an unremarkable security advisory by the OpenSSL Project in January. The bigger picture was revealed earlier this week by French researchers and Microsoft, highlighting that it was an industry-wide problem.

The FREAK bug affects OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2. A fix is available in its Security Update 2015-002. An update to address the same flaw is available in Apple TV version 7.1.

Because of the bug, a man-in-the-middle attacker -- or someone with a "privileged network position" -- may intercept HTTPS connections secured with Secure Sockets Layer (SSL) or Transport Layer Security (TLS), Apple explained. The issue affected Safari as it is a web client that uses Secure Transport, Apple's crypto library implementation of TLS.

"Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys," Apple said.

Microsoft yesterday released a FREAK fix for its TLS implementation, Schannel, while Google has released fixes for Chrome on the desktop and Android.

Cisco yesterday confirmed dozens of its products that use OpenSSL are affected by FREAK as well as seven other flaws in OpenSSL. The company is inspecting dozens more products that may be affected, such as its Jabber client for Macs, routers, security devices, and TelePresence units. A full list of products and models confirmed to be vulnerable can be found here.

Cisco is also investigating the impact on its products of the rowhammer DRAM vulnerability that Google's Project Zero security researchers revealed details of this week. Google's researchers showed the bug was exploitable in several x86 laptops and called upon hardware manufacturers to share more information about their efforts to remediate the flaw.

Cisco has confirmed some products are not vulnerable to rowhammer but is still investigating products that allow an unprivileged user to load and execute binaries. These include several Unified Computing servers as well as its Nexus 9000 and 3000 series devices.

"Each of the following products contains a number of hardware protections against Row Hammer events, including ECC memory modules. Based on the initial research report, there is no reason to believe any Cisco products would be affected. However, Cisco is testing against the following products to confirm," Cisco said.

Read more on this story

Editorial standards