The Mac and iOS Safari web browser is susceptible to the recently publicized SSL/TLS vulnerability dubbed the FREAK attack (Factoring RSA Export Keys). The FREAK attack exploits a design flaw in some secure websites that still allow the outdated RSA_Export cipher suite, where the browser can be tricked into using a compromised level of security. Basically this means that https traffic can be potentially viewed by a man-in-the-middle attack. Currently about 9% of public web domains are susceptible to this attack if viewed through a browser that is vulnerable.

All Mac versions of Firefox and Chrome are safe from the FREAK attack.

Apple released Security Update 2015-002 yesterday that includes a patch for this Safari vulnerability. This update is for OS X 10.8.5, 10.9.5, and 10.10.2. Safari users still running OS X 10.6-10.7 should use Firefox or Chrome to avoid this potential threat, or avoid websites that permit RSA_Export cipher suites.

Apple also released iOS 8.2 yesterday to patch the FREAK attack vulnerability on iOS devices.

What about Windows?… All versions of Firefox are also safe on Windows, and Google released a Chrome v41 update for Windows last week to address potential FREAK exploits. Microsoft is working on a fix for Windows (Vista and later), which may be included in today’s Patch Tuesday bundle or in an out-of-band security update.

What about Web servers?… Test domains to see if they are vulnerable to the FREAK attack here. Web servers found that accept RSA_Export cipher suites should be patched. For Apache this requires updating OpenSSL and disabling EXPORT ciphers in the ssl.conf file.