Partner --> MacStrategy Tweets by @macstrategy

The FREAK Attack Security Vulnerability

by Graham Needham (BH) on 4th March 2015

Web sites/servers and web browsers have the ability to communicate securely with each other over HTTPS (the padlock icon usually appears in your web browser when you are connected securely). Unfortunately, old versions of this technology that are susceptible to attack are present in many web sites/servers and in certain circumstances these old versions can be forced to be used and currently (as of 4th March 2015) most web browsers will accept the use of these old versions and are thus vulnerable.

Q. What has Apple said about OS X and iOS?

Apple fixed this flaw in OS X, iOS and Safari with a security update released on 9th March 2015:

iOS 8.2
Security update 2015-002 (for OS X 10.8, 10.9 and 10.10)
Security update 2015-002 for OS X 10.10 Yosemite
Security update 2015-002 for OS X 10.10 Yosemite (new MacBook 12" computers only)
Security update 2015-002 for OS X 10.9 Mavericks
Security update 2015-002 for OS X 10.8 Mountain Lion

Q. How does the attack work?

Basically, a man-in-the-middle network attack can take place that will fool you and your browser into thinking it is connected securely to a web site but is in fact not connected securely and the data e.g. usernames, passwords, personal data, passing between you and the web site will be intercepted and read.

Q. Who is at risk?

Potentially everyone. If you use the internet to access secure sites e.g. logging in to sites, online banking/shopping, then you could be exposed. If you run a web site/server that uses secure services (SSL) then your configuration could be putting data and your users at risk. However, as the attack can only take place as a man-in-the-middle network attack depending on how you access the internet the risks may be low or high:

HIGH RISK - Using a public Wi-Fi network e.g. coffee shop, bar, pub, etc
HIGH RISK - Using a network you have no control over that has low security maintenance e.g. at work/a business that doesn't care about the security of its network
HIGH RISK - Using an insecure browser
UNKNOWN RISK - Using a public Wi-Fi with a secure VPN connection (is the VPN technology/software safe?)
LOW RISK - Using your home Wi-Fi network (as long as it secure/password protected and uses WPA2 encryption)
LOW RISK - Using a network you have no control over that has high security maintenance e.g. at work/a business that cares about the security of its network
LOW RISK - Using a secure browser

Q. How can I tell if my home Wi-Fi network is secure/password protected and uses WPA2 encryption?

Log into your Wi-Fi access point (usually your broadband hub/router) and check the Wireless/Wi-Fi network settings.

Q. Which browsers are secure?

The following browsers are known to be secure:

Safari for OS X 10.8 to 10.10 with security update 2015-002 installed
Safari for iOS with the iOS 8.2 update installed
Mozilla Firefox 36.0 or later for Windows and OS X
TenFourFox 31.5.0 or later for OS X

NOTE: All other browsers and browser for other platforms/operating systems should be considered insecure unless you have specifically checked that they are okay/have been updated/are secure to use.

Q. How can I tell which version of Mac OS X I am running?

A. Go to Apple menu (top left) > About This Mac > check the version of Mac OS X.

Q. What should I immediately do?

What are you running?

A web site or web server that has secure connection facilities (SSL)
OS X 10.8 and later
OS X 10.7 and earlier
OS X Server (10.8 and later)
OS X Server (10.7)
Mac OS X 10.6 Server and earlier
iOS 8.x and later
iOS 7.x and earlier
Android
Windows
UNIX
LINUX

A web site

Go to the FREAK Attack web site and follow the instructions there. You can also test your web site/server here.

OS X 10.8 and later

Apple fixed this flaw with Security update 2015-002 released on 9th March 2015.

OS X 10.7 and earlier

Apple will not fix this flaw in these versions of OS X - do not use the Safari web browser. If you need to browse the internet you should use a secure web browser (see list above) or upgrade to OS X 10.8 or later.

OS X Server (10.8 and later)

Apple fixed this flaw with Security update 2015-002 released on 9th March 2015.

OS X Server (10.7)

Apple will not fix this flaw in this version of OS X Server. Do not use this version of OS X Server on the open internet - if you can, you are recommended to upgrade OS X and OS X Server.

Mac OS X 10.6 Server and earlier

Apple will not fix this flaw in these versions of Mac OS X Server. Do not use this version of Mac OS X Server on the open internet - if you can, you are recommended to upgrade OS X and OS X Server.

iOS 8.x and later

Apple fixed this flaw with the iOS 8.2 update released on 9th March 2015.

iOS 7.x and earlier

Apple will not fix this flaw in these versions of iOS - do not use the mobile Safari web browser to connect to secure web sites. If you have an Apple iOS device that cannot be upgraded to iOS 8 or later consider upgrading your device or switching to a secure device.

Android

Google will fix this flaw in later versions of Android and also in the mobile Chrome web browser with a soon to be released security update. Until that security update is released and installed on your mobile device do not use the mobile Chrome web browser to connect to secure web sites. If you have an Android mobile device that cannot be upgraded to a secure version of Android consider upgrading your device or switching to a secure device.

Windows

Microsoft will fix this flaw in later versions of Windows and also in the Internet Explorer web browser with a soon to be released security update. Until that security update is released and installed on your computer/mobile device do not use the Internet Explorer web browser to connect to secure web sites. If you have an Windows computer/mobile device that cannot be upgraded to a secure version of Windows consider upgrading your computer/device or switching to a secure platform.

UNIX

Only use a secure web browser (see list above).

LINUX