Apple closes TLS Freak leak in OS X, iOS and Apple TV

Systems running OS X 10.8, 10.9, and 10.10 will receive a security update on Tuesday. iOS goes to 8.2 and Apple TV gets version number 7.1. In addition to the TLS Freak bug, several other bugs are also being fixed.

This is reported by the Sophos security blog. Freak is a bug in SSL implementations that was once built in by the US government and can be exploited by enforcing a lower encryption level. An attacker can impersonate a server with a secure TLS connection, but with a lower level of security, by using crackable cryptographic keys.

In addition to patches to fix Freak, Apple is also patching vulnerabilities found by Google’s Project Zero. This includes a remote code execution vulnerability. This bug occurred in the IOSurface programming framework. IOSurface is a way to make two processes share the same video buffer.

In addition to the aforementioned two bugs, Apple fixes a few other RCEs with the security update, which will be numbered 2015-002.