This was lost a bit in all the hullaballoo over Apple’s media event yesterday, but Apple has issued a fix for the “FREAK” (Factoring Attack on RSA-EXPORT Keys) security flaw that left OS X, iOS, and Apple TV devices vulnerable to hacking attacks.
The fix is available in Apple TV 7.1 for Apple TV third-generation and later, iOS 8.2 for iPhone 4s and higher, the iPod touch 5th generation and later, and iPad 2 and later. It’s also available for Macs running OS X, (Mountain Lion 10.8.5, Mavericks 10.9.5, and Yosemite 10.10.2.)
The FREAK vulnerability resulted form a former policy of the U.S. Government preventing companies from exporting strong encryption, resulting in weaker “export-grade” encryption being applied to products shipped outside the U.S. While the policy was revoked over a decade ago, the weaker encryption continued to be used by software companies.
Apple removed support for ephemeral RSA keys, the source of the vulnerability.
Apple notes that Monday’s patch also includes fixes that affect iCloud Keychain, IOAcceleratorFamily, IOSurface and OS X Kernel.
The latest OS X Security Update (2015-002) can be downloaded and installed via Software Update.