Apple and Microsoft have joined Google in releasing security updates for the so-called Freak security vulnerability a week after it was revealed by security researchers.
The Factoring attack on RSA-Export Keys (Freak) was introduced by old US export policies requiring weaker encryption.
They found that, once intercepted, the connections can be forced to use "export-grade" cryptography, even if the weak algorithms are disabled by default.
Initially, only browsers in Android and iOS devices appeared to be vulnerable, but days later Microsoft said in a security advisory that all supported versions of its Windows operating system were also vulnerable.
Read more about SSL vulnerabilities
- PrivDog compromises the secure sockets layer (SSL) protocol used to secure online transactions.
- The Poodle SSL vulnerability has been patched, yet new vulnerabilities are causing concern.
- Researchers say the SSL flaw in Microsoft Windows could be worse than Heartbleed.
- Following Heartbleed, six more OpenSSL vulnerabilities have been discovered.
Google and Apple quick to issue fixes
Google was the first to issue a security update to Android suppliers. Now Apple and Microsoft have followed suit.
The OS X update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2.
“We should be grateful that Apple appears to have resolved the Freak vulnerability for its users in a relatively short amount of time,” independent security consultant Graham Cluley wrote in a blog post.
Cluley noted that the latest iOS update includes a fix for a vulnerability that could have allowed hackers to remotely restart a victim's iPhone by sending a specially-crafted SMS message.
Microsoft's response to Freak
Microsoft also responded quickly, managing to include a fix for the Freak vulnerability in its monthly security update for March 2015.
The updates also included a fix (MS15-018) for a number of critical Internet Explorer vulnerabilities in IE6 and later versions, including the “Universal XSS” vulnerability that could be exploited to launch phishing attacks and inject malicious code into users’ browsers.
MS15-019 fixes a vulnerability in the VBScript scripting engine in Microsoft Windows, which could have allowed malicious code to execute on users' computers.