U.S. Flag Official website of the Department of Homeland Security

The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

Microsoft Releases March 2015 Security Bulletin and Patches FREAK

Microsoft has released updates to address Windows vulnerabilities as part of the Microsoft Security Bulletin Summary for March 2015. Exploitation of one of these vulnerabilities (FREAK) could allow a remote attacker to decrypt secure communications between vulnerable clients and servers.

US-CERT encourages users and administrators to review Microsoft Security Bulletin Summary MS15-MAR and apply the necessary updates.

Apple Addresses FREAK and Releases Security Updates for OS X, iOS, and Apple TV

Apple has released security updates for OS X, iOS, and Apple TV to address multiple vulnerabilities, one of which may allow an attacker to decrypt secure communications between vulnerable clients and servers (FREAK).

Updates available include:

  • Xcode 6.2 for OS X Mavericks v10.9.4 or later
  • Security Update 2015-002 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2
  • Apple TV 7.1 for Apple TV 3rd generation and later
  • iOS 8.2 for iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later

US-CERT encourages users and administrators to review Apple security updates HT204427, HT204413, HT204426, and HT204423, and apply the necessary updates.

FREAK SSL/TLS Vulnerability

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

Users and administrators are encouraged to review Vulnerability Note VU#243585 for more information and apply all necessary mitigations as vendors make them available. Users may visit freakattack.com to help determine whether their browsers are vulnerable. (Note: DHS does not endorse any private sector product or service. The last link is provided for informational purposes only.)

Pages

This product is provided subject to this Notification and this Privacy & Use policy.

Back to Top