Apple has just announced its latest round of security updates.
OS X in its 10.8, 10.9 and 10.10 flavours (Mountain Lion, Mavericks and Yosemite) gets Security Update 2015-002.
iOS goes to version 8.2; Apple TV gets 7.1.
In particular, the fix that we advised you to “watch for” is here.
For users of all the platforms mentioned above, the TLS FREAK bug is patched.
FREAK is the security flaw that could allow an attacker to trick you into making what you think it is a secure TLS connection, but with downgraded security using legacy, insecure, crackable cryptographic keys.
The bug, which was found by a team of researchers including three from Microsoft, was originally thought to apply only to OpenSSL and to Apple’s Secure Transport system library.
That made Apple’s Safari browser the most widespread one to have this bug – until, in a sort of irony, Microsoft realised that its own Schannel TLS library was at risk too, and with it Internet Explorer.
IOSurface RCE
But don’t grab these updates for the FREAK patch alone.
All three platforms (Apple TV, iOS and OS X) shared the same Remote Code Execution (RCE) vulnerability, found by Google’s Project Zero.
That bug existed in the Apple IOSurface programming framework.
IOSurface is a way for two processes to share a video rendering buffer, for example so that movie frames might be decompressed by a rendering process, but displayed by a separate movie player.
Ironically, as Apple explains, IOSurface is “commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.”
Presuambly, the idea is that a process like a movie player or a web browser is therefore shielded from potentially dangerous rendering bugs in the code that actually takes apart the complex data structures inside the average image file.
If a booby-trapped image or movie file should crash the rendering process and gain control over process execution, it would not automatically get access to information such as browser data or already-active internet connections as a result.
Unfortunately, in the case of CVE-2015-1061, the IOSurface framework itself opened up a security hole.
Other security holes
Various other RCE holes are patched in iOS and OS X; any one of these would make the updates worth applying without delay on their own.
Intriguingly, Apple TV and iOS share a security bypass bug in a component called MobileStorageMounter.
The impact of this bug is stated as:
A malicious application may be able to create folders in trusted locations in the file system.
That sounds like just the sort of security hole that would be terribly handy for jailbreaking: the ability to tweak otherwise locked-down system files. (Of course, that sort of hack is great for crooks with brief physical access to your iPhone, too.)
And, indeed, this vulnerability, designated CVE-2015-1062, is credited to TaiG Jailbreak Team.
Any known problems?
Unfortunately, I can’t give you any first hand advice.
As a keen Apple user [Did you mean “fanbuoy”? – Ed], I went straight from Apple’s advisory emails to the OS X App Store, and to the official downloads page.
The OS X advisory assures me that:
Security Update 2015-002 may be obtained from the Mac App Store or Apple's Software Downloads web site.
But at 2015-03-09-22:42Z, in my part of the world at least, there’s still no sign of the updates.
Which makes me wonder if Apple is carefully waiting until after midnight UTC, which would officially make this into an Update Tuesday?
Krista A
I appreciate the information and have now upgraded, (this may be a stupid question) but would I know if Freak was installed on my Mac? I use Sophos for Mac anti virus.
jimcsecurity
Hi Krista A,
FREAK is not a malware infection that can be installed on a Mac or a PC. It’s the name of a recently discovered flaw in TLS/SSL (the protocols that make your connection to a server/website secure and show up as lock icon in your web browser).
While I have read that there were roughly 14 million website affected by this issue, since the issue has been announced large content delivery networks such as Akamai and connect.facebook.net have been updated to remove the FREAK flaw. With Apple Safari for both iOS and OS X now updated and Google Chrome and Firefox already not vulnerable to this issue, the risk is becoming significantly lower over time.
Due to the fast response of many websites and web browsers vendors to this issue you will not be vulnerable any longer. Only Internet Explorer remains at risk (but Microsoft has issued a workaround until they resolve this issue).
The list of vulnerable servers is being tracked at Freakattack.com
I hope this helps. If you have any other questions, please feel free to ask. Thanks.
tartanrose
Thankyou for your excellent article plus the previous posting about the TLS freak bug.
You are indeed correct about the Tuesday up date. I have been checking for this patch a number of times a day and this morning found the update available to me in my iPad settings.
I am in Australia……Melbourne in fact so I downloaded the patch prior to 7.00 am our time which is as you suspected Tuesday!
The description of the patch was something like……Support for Apple Watch, Improvement for Health App, Increased stability and Bug Fixes,
On the iPad preparation was around ten mins whilst the actual download was also ten mins.
I appreciate so much your original article as it wasn’t till a few days later that I saw any other mention of it. Feels good to know that patch now in place!
Jeff
Apparently the update availability was regionally controlled more than by date/time. In my location in the Central time zone of the U.S., several of us had it available to us mid-afternoon on Monday.
JR
It sure would be nice if Apple also focused on performance issues… my ancient 3-year-old 4S (not sure when 3 years because “ancient”) is so laggy, it has become almost unusable.
Chris
It’s called “Planned Obsolescence”. Why would they help your old technology when doing so would stop you from buying the next iProduct? They allow their 2-year-old products to suffer in order to push customers to the 6-month-old products.
Laurence Marks
Duck wrote: “But at 2015-03-09-22:42Z, in my part of the world at least, there’s still no sign of the updates.
“Which makes me wonder if Apple is carefully waiting until after midnight UTC, which would officially make this into an Update Tuesday?”
Staggering the workload on the server. Makes your download faster, once it occurs.
Paul Ducklin
Spoilsport :-)