Apple and Microsoft patch Freak vulnerability

Apple and Microsoft have joined Google in releasing security updates for the the so-called Freak security vulnerability

Apple and Microsoft have joined Google in releasing security updates for the  so-called Freak security vulnerability a week after it was revealed by security researchers.

The Factoring attack on RSA-Export Keys (Freak) was introduced by old US export policies requiring weaker encryption.

Researchers found the decade-old vulnerability could be exploited by attackers to conduct man-in-the-middle attacks on connections between vulnerable devices and websites.

They found that, once intercepted, the connections can be forced to use "export-grade" cryptography, even if the weak algorithms are disabled by default.

This means the latest flaw to be found in SSL/TLS could allow unauthorised parties to spy on supposedly secure Internet communications.

Initially, only browsers in Android and iOS devices appeared to be vulnerable, but days later Microsoft said in a security advisory that all supported versions of its Windows operating system were also vulnerable.

Read more about SSL vulnerabilities

Google and Apple quick to issue fixes

Google was the first to issue a security update to Android suppliers. Now Apple and Microsoft have followed suit.

Apple released security update 2015-002 for OS X users and similar patches for Apple TV and iOS in the latest updates for the software.

The OS X update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2.

“We should be grateful that Apple appears to have resolved the Freak vulnerability for its users in a relatively short amount of time,” independent security consultant Graham Cluley wrote in a blog post.

Cluley noted that the latest iOS update includes a fix for a vulnerability that could have allowed hackers to remotely restart a victim's iPhone by sending a specially-crafted SMS message.

Microsoft's response to Freak

Microsoft also responded quickly, managing to include a fix for the Freak vulnerability in its monthly security update for March 2015.

The updates also included a fix (MS15-018) for a number of critical Internet Explorer vulnerabilities in IE6 and later versions, including the “Universal XSS” vulnerability that could be exploited to launch phishing attacks and inject malicious code into users’ browsers.

MS15-019 fixes a vulnerability in the VBScript scripting engine in Microsoft Windows, which could have allowed malicious code to execute on users' computers.

MS15-020 fixes vulnerabilities in Microsoft Windows that could allow remote code execution, which Cluley noted is a similar vulnerability to one exploited by the Stuxnet worm.

MS15-021 fixes vulnerabilities in Adobe Font Driver that could allow remote code execution, and MS15-022 fixes vulnerabilities in Microsoft Office that could allow remote code execution.

Read more on Hackers and cybercrime prevention