A 10-year old security hole (Freak Bug) has been finally patched up, thanks to Apple!
With the release of the new mobile operating platform version, iOS 8.2, that includes a number of fixes for common flaws in iPhone and iPad, Apple has finally crushed the vilest and notorious bug that’s been around for 10 years, called “FREAK Bug“, short for Factoring attack on RSA-Export Key.
FREAK Bug has kept Apple‘s safari and Google‘s Android users vulnerable to high level hacking threats when some SSL clients and servers accept weak 512-bit RSA keys in some circumstances, allowing an attacker who can intercept that key to then silently factor it offline and decrypt future secure sessions.
“Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK Bug, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys,” an Apple advisory explained.
Through this major security hole, hackers could have so easily intercepted even the most fortified connections of thousands of websites; including: Whitehouse.gov, NSA.gov and FBI.gov by causing a device to restart without the user’s interaction due to a vulnerability in the CoreTelephony component of iOS.
“A null pointer dereference issue existed in CoreTelephony’s handling of Class 0 SMS messages. This issue was addressed through improved message validation,” Apple’s advisory stated.
Freak Bug
At the time the threat was found, a number of prominent websites were affected; such as: American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and, ironically, the FBI, NSA and White House sites.
Not only Apple, but also giant tech companies like Google and Microsoft have been bitten by the bug. Both companies stated that they are going to fix this serious threat and will provide a security update.
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Microsoft’s advisory stated. “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.” it explained.
On the other hand, Google‘s Chrome on Android remains vulnerable even though the beta of Chrome 41 is safe.
Some experts blamed this outrageous threat on a former US policy that prohibited US companies from exporting the strongest encryption and security standards available. Such questionable action has exposed governments that are seeking to weaken and exploit the security needed to protect consumer devices in order to create back doors to reinforce more surveillance.
If you’re an Apple owner, you need to upgrade your OS soon as it is possible because of all these serious security threats. Just tap Settings > General > Software Update > Download and Install. The update is 476MB on iPhone; Make sure that your device is connected to Wi-Fi and a power source during the upgrade. On the other hand, the update will be installed automatically for Mac OS X users through the integrated notification system.
So rest assured, you don’t need to freak out about the FREAK Bug anymore!
Need extra protection on your Apple device? Check out this link to find the best VPNs for Apple devices.
