Archive | March 4, 2015

FREAK fix for Apple devices due within a week for iOs and OSX

Apple has mentioned to multiple sources today that patches for their operating systems are in the works and should be released in under a week, possibly as early as Monday the 9th.

FREAK SSL flaw; Apple and Google prepare patches

Researchers have disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites. A list of know affected domains is below.

Domains as of 3/4/2015