Apple secures Safari against FREAK attacks

Apple secures Safari against FREAK attacks

Apple has patched the FREAK flaw in both OS X and iOS, issuing updates for both operating systems to protect users of its Safari browser.

Apple on Monday patched the FREAK flaw in both OS X and iOS, issuing updates for both operating systems to protect users of its Safari browser.

In a pair of accompanying advisories, Apple noted the FREAK fix as one of several in iOS 8.2 and OS X Yosemite, Mavericks and Mountain Lion. The OS X update was labeled 2015-002 to identify it as a multi-edition fix.

"Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites," Apple stated in both advisories. "This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys."

"Secure Transport" is Apple's name for the API (application programming interface) in iOS and OS X that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols that are standard on the Web for securing communications between devices -- primarily through the browsers that run on them -- and website servers.

Apple followed Google in patching for FREAK; the search firm's Chrome browser was updated last week on Windows, OS X and Linux to deal with the bug.

FREAK, for Factoring attack on RSA-EXPORT Keys, was the name assigned last week by researchers from Microsoft and INRIA, a French research institute, to a design flaw that could let cyber criminals silently force a browser-server connection to fall back to long-discarded encryption standards, those guarded by keys relatively easy to crack with off-the-shelf software and computing power purchased from cloud services.

The most likely assault would be through a classic "man-in-the-middle" (MITM) attack, where attackers insert themselves between users and servers on an insecure Wi-Fi network, like those at coffee shops and airports.

Safari, the default browser in iOS and OS X, could be pushed into using weaker cipher libraries, ones that were once the only allowed for export outside the U.S. Although the export rules were gradually relaxed, then largely abandoned, browsers and servers still blithely supported the fall-back.

Computerworld verified that the iOS 8.2 and OS X 2015-002 updates successfully patched Safari against FREAK. Previously, the browser on both operating systems had reported they were vulnerable when tested on,, a site maintained by a group of computer scientists at the University of Michigan.

Other browser makers have yet to fix their wares. Google's Chrome on Android remains vulnerable -- although the beta of Chrome 41 is safe -- and Microsoft, although it issued an advisory and confirmed that the bug is within Windows, has not rolled out a repair. Microsoft's Patch Tuesday for the month is tomorrow; there's an outside chance it will deploy a fix then.

iOS 8.2 patched five additional vulnerabilities, and Security Update 2015-002 fixed four others.

iOS 8.2 can be downloaded over the air from iPhones, iPads and iPod Touches, or though iTunes. From an iPhone, users must touch the "Settings" icon, then the "General" button on the resulting screen. Tapping "Software Update" will kick off the update process.

OS X's Security Update 2015-002 can be retrieved by selecting "App Store" from the Apple menu, then clicking on the "Updates" icon at the top right of the store's window.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GoogleAppleapplication securityAccess control and authentication



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments