Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

from the we're-too-cool-for-details dept

Apple on Friday issued an update that fixed a rather severe vulnerability in their SSL/TLS implementation in iOS. In short, the flaw allowed any hacker the ability to intercept data during supposedly secure and encrypted transfers when using an iPhone, iPad or iPod Touch on a public network. Estimates suggest that the vulnerability was introduced in iOS 6.0 back in September 2012 (Apple was added as a PRISM partner in October 2012, utterly circumstantial but just sayin'). After some reverse engineering of the patch, people discovered it overhauled some fairly major portions of iOS.

The bigger problem is they discovered during that analysis it also impacts Apple laptops and desktops running Apple’s OS X (there's a few of those out there). The original bug existed for some time before being detected, and at the moment there's not only no fix in place for laptop and desktop users, but Apple hasn't issued any statements warning customers that everything they do at the coffee shop is potentially exposed.

Apple's only public comment was apparently to tell Reuters on Saturday that a fix was coming "very soon." There's a website that allows you to check whether the flaw has been fixed yet. Unsurprisingly, Apple is taking a lot of heat on numerous fronts for not doing more (read: anything) to help potentially impacted users:
"Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?"
Perhaps silence is sexier? iPhone and iPad users should obviously update their systems ASAP, and OS X users can supposedly protect themselves by using Chrome or Firefox and disabling background services (like Mail.app or iCloud) when wandering about on coffee shop Wi-Fi. Regardless, surely the NSA, other intelligence organizations, hackers and other n'er do wells looking to nab personal data greatly appreciate Apple's dead silence on the issue.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 4:33pm

    What did Apple know?

    And when did they know it?

    (The old questions are often the best. Those are now 40 years old and yet they still often point the way to the truth.)

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous, Feb 24th, 2014 @ 4:35pm

    It's not a flaw. It's a feature.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Mason Wheeler (profile), Feb 24th, 2014 @ 4:39pm

    Typical Apple behavior

    This is nothing new. Apple's default response to security issues has always been to make like an ostrich and try to keep everything as quiet as possible.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 4:45pm

    Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

    Totally the right way to go

    https://www.youtube.com/watch?v=U74Q9aZ4-p8

    I love dead silence!

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    JWW (profile), Feb 24th, 2014 @ 4:49pm

    Any hacker?

    My goodness. The breathlessness of the description of this vulnerability.

    Any hacker is not the case here. To execute this attack you have to intercept traffic to a website, and spoof its CA certificate (although without correct key information - as that was what wasn't being checked).

    Thats not to say that an attack couldn't be carried out by coordinated hackers who had prepared and targeted a public network being used to access a https secured site.

    But attacking this vulnerability would not be trivial. Also, once an SSL session is setup with a legit sight, even with this bug, that session would be secure and free from eavesdropping.

    The attack for this has to occur at SSL session configuration and handshake time. It is much harder to pull off than it is being claimed to be.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    TheloniousMac (profile), Feb 24th, 2014 @ 4:54pm

    "Silence"

    This is not the serious end of the world situation people are making it out to be. If you're actually worried that there is a hacker in the bushes behind your Starbucks specifically waiting for you,

    A) Don't Go
    B) Use VPN when you get there (set it for all traffic)
    C) Don't use Safari
    D) Tether to your mobile device and connect that way.

    Personally if it happens to be that big a deal for you, I'd go with A.

    You have nothing to fear on your home network. You have nothing to fear on your work network, and seriously, if that is that big a problem for you, you shouldn't be on unprotected public networks to begin with!!!!

    The chances of this thing actually harming you are far less than the typical FLASH Trojan.

    The people bitching about this are just trying to get their names in the news. The amount of alarmist and panic, as usual, do a disservice rather than taking the opportunity to inform people.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 4:59pm

    Re: Any hacker?

    It actually would probably be pretty trivial to have a proxy that exploits this. You watch for requests to port 443, and when you get one you create your own separate connection to where ever they're going, except you act as the web server. Everything gets passed back and forth like normal, except that when you get the data from the real web server or the client, you can decrypt it, then re-encrypt and send it to the client or webserver. Log everything, and then scrape the logs for usernames and password.

    But you need to have control over the target's network, which is where the difficulty is.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 5:03pm

    Apple products never become obsolete, they simply go out of style.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 5:18pm

    Maybe they "can't" talk about it - know what I mean? *wink wink* *nudge nudge*.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Michael Donnelly (profile), Feb 24th, 2014 @ 5:52pm

    Re: Any hacker?

    Any hacker? Actually, it's a lot more exploitable than you think. Here's what I'd do if I was actually a bad guy:

    Step 1: Have evil app on your lappie forge responses to DNS queries. Everything goes through you. Super easy.

    Step 2: Run a simple socket-level proxy on port 80 and 443. Watch traffic on any given device over port 80 until you see a user-agent go by (or just guess off the MAC address). Once you identify an Apple device, forge all SSL connections with a bogus cert. Log all headers and POST data. Maybe HTML returned from remote servers, too.

    Sit in Starbucks or Paradise Bakery for a couple hours. Go home, analyze logs, mayhem ensues.

    I could easily code this myself. The actual bad guys could certainly do it as well.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Wally (profile), Feb 24th, 2014 @ 6:59pm

    iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes...

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Wally (profile), Feb 24th, 2014 @ 6:59pm

    iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes...

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 7:11pm

    Re: Any hacker?

    "Any hacker is not the case here."

    OK, I'll bite. Just exactly which hackers couldn't exploit this?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 7:13pm

    Re: "Silence"

    E) Don't use a Mac.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 7:38pm

    Re:

    So, the 3GS I upgraded to ios 6 ... is doomed.

    I figured it was anyway, the ios6 upgrade basically turned the phone into a worthless pos - it's slower, it crashes, and now clearly it's insecure.

    Thanks Apple.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 7:43pm

    Re: Re:

    Ah, well, it does look like they've release 6.1.6 - so hopefully it will be secure "again"... but it was still a terrible upgrade for this phone.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 8:13pm

    Re: "Silence"

    You are a muppet.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 9:54pm

    Safe As Ever

    Don't go out naked in public, don't use public wifi (cell phones, even iOS devices have DATA services), use a secured open-source browser without JAVA and wipe twice after you poop. Problem solved.

    My experience has been excellent with Apple so far. No infections or viruses detected or known since the Mac Plus. And when a problem was discovered (Saturday) my iOs devices all let me know I should upgrade, which I did. My experience has not been so positive with Windows. I have lost count of the number of workstations I have had to wipe clean and reinstall due to malware and virii over the past 10 years. I'll never get those hours back. And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.

    Apple 1 Windows 0

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    techflaws (profile), Feb 24th, 2014 @ 10:20pm

    Re: "Silence"

    F) Don't listen to fanbois.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Avilion (profile), Feb 24th, 2014 @ 10:34pm

    The reason Apple is remaining so quiet is that this was an Alphabet Agency backdoor and they (inlc. Apple) are scrambling to figure out what to do.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Feb 24th, 2014 @ 10:53pm

    Re: Safe As Ever

    "And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission."

    This is the most stupid thing I've read so far this year.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    That One Guy (profile), Feb 24th, 2014 @ 10:56pm

    Re:

    Exec 1: Okay people, we've got a bit of a situation here. A huge vulnerability in our OS has been made known, and the public is demanding answers.

    Now, normally, this wouldn't be a big deal, just patch it and we'd be good, but it's come to our attention, strictly through 'unofficial' channels mind, that the NSA and a few other agencies have been using this exploit to gather intel and/or pass the time spying on people, and they'd probably be less than thrilled to have their backdoor access closed off like that.

    However, if we don't patch it, we run the risk of angering people and potentially losing customers. Ideas?

    Exec 2: Losing customers?

    Exec 1: Yes, that's what I said.

    Exec 2: Apple customers?

    Exec 1: Yes. Look, I really don't see what you're... oh, right, good point.

    Exec 2: Yeah, we're talking about people willing to shell out a couple hundred bucks on practically a yearly basis, just because we slapped a slightly higher number on our 'new and improved' iWhatever, and they absolutely must have the newest model, a 'piddly' security flaw like this will be nothing to them, and certainly not enough to keep them from buying our stuff.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Rikuo (profile), Feb 25th, 2014 @ 12:34am

    Re: Safe As Ever

    I second the AC up above, in that this is a stupid sentence
    "And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission."
    Whether or not he overcharged or the quality of Windows, you still willingly gave Microsoft your money, at which point, whenever Gates's salary goes through at his bank, it becomes his money. He doesn't need your permission to do whatever the fuck he wants with his money.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Ninja (profile), Feb 25th, 2014 @ 1:57am

    Re: Any hacker?

    If you exclude mobile systems I suspect Apple hasn't much to offer potential hackers...

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    mdpopescu (profile), Feb 25th, 2014 @ 2:58am

    But but but...

    Windows has viruses! Apple doesn't! So there!

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    mdpopescu (profile), Feb 25th, 2014 @ 3:01am

    Re: But but but...

    Damn... I swear I hadn't read AC's comment when I wrote this.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    letherial (profile), Feb 25th, 2014 @ 3:22am

    Re: Safe As Ever

    If your ego must insists that your so special that he is giving away your money you gave to him, then you could make yourself feel better and that small amount of money you gave to him fed and clothed one of his children, it was the other saps money that he gave away.

    You could also save yourself some time writing such pointless posts and never buy another Microsoft product, or any product for that matter, that you feel is over priced again...wow, problem solved! wasnt that simple. Even though you have a big ego, it doesn't have much in the way of brains.

    You are a perfect example of a applefan, thank you for reinforcing the egoistical ignorant stereotype that is a mac user..fucking hilarious

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Searchub (profile), Feb 25th, 2014 @ 3:57am

    dead silence may solve the problem!

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 4:53am

    Re: Any hacker?

    Ever heard of phishing?

    This exploit could make fishing sites appear legit.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 7:26am

    Re: Re: Safe As Ever

    Admittedly at fan, but only because Apple earned it. I also know that no system is fully secure. But some systems are more secure than others. And that is a fact.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 7:32am

    Re:

    you mean "silent death"

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    weneedhelp (profile), Feb 25th, 2014 @ 8:23am

    But but but

    MAC's dont have exploits and viruses. /s

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 10:52am

    uh... maybe because a fix to something this serious needs to be QAed more than five minutes? maybe the flaw was bigger than reported, and took more effort than just turning back an update?

    maybe it is here, now:
    http://gizmodo.com/the-fix-for-apples-scary-os-x-security-flaw-is-here-1529636089

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 11:04am

    Just as a side note, patch for Goto is out with 10.9.2 now:
    Software Update Tool
    Copyright 2002-2012 Apple Inc.

    Finding available software
    Software Update found the following new or updated software:
    * OSXUpd10.9.2-10.9.2
    OS X Update (10.9.2), 449548K [recommended] [restart]

    http://www.tuaw.com/2014/02/25/os-x-update-10-9-2-now-available/

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 11:08am

    Re: Re: Re: Safe As Ever

    Right, which is why anyone who knows anything about security does not use Apple.
    They provide no vulnerability database
    They provide no timely fixes

    Jacob Appelbaum sez ".. or perhaps it's because they [Apple] write shitty software, we know that's true!"

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    John Fenderson (profile), Feb 25th, 2014 @ 12:36pm

    Re: Re: Re: Safe As Ever

    "But some systems are more secure than others. And that is a fact."

    That is true, but Apple is not inherently more secure than the other common consumer OSes. Including Windows.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Feb 25th, 2014 @ 1:24pm

    Re: Re: Re: Re: Safe As Ever

    That's a bit off. They are apart of US-CERT and supply vulnerabilities to the CVEs.
    EX: http://cve.mitre.org/data/refs/refmap/source-APPLE.html

    As for timely fixes, well, they have lacked in that department, which is why many security people now use third party package managers like HomeBrew, MacPorts, Fink, etc...

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Mar 1st, 2014 @ 12:03pm

    Apple is a real innovator sometimes; they are also notoriously slow when it comes to patching of their flaws! Let’s face it all OS’s have flaws; I mean it is well documented in the NVD. Even embedded processing OS’s like VXworks, have issues.

    However, read the report timeline on (CVE-2013-0984) Directory Service buffer overflow flaw and you will see a prime example of how Apple “handles” the security flaws in their products from both an “urgency” and “responsibility” perspective. Oh you say that was an old release? 2009 is old? Apple loves you folks, always willing to part with (much) more cash to get the latest Apple “thing”. Wait Apple has canned support for that OS right?? Why yes they did, you just didn’t hear about it until it was a done deal…again typical Apple!! But wait Apple has given you access to their new and improved OS X 10.9.2 (Mavericks) for FREE…and it fixes the ‘gotofail’ bug we are talking about!!! Yeah for Apple!! Wait…hold the press… there have already been CVE’s (yes plural) reported for it…DANG it now what?!? Hey I know, let’s all just take an Apple approach to problems and just pretend they don’t exist until there is no longer any way to hide them. That will work, I mean I’m sure Apple keeps quiet about this stuff so the bad guys don’t find out…Oh you mean the bad guys have the same access to the PUBLIC database of security flaws that sometimes include proof of concept code, or at least a technical description of the attack?!?

    But in all seriousness IF you hold a job (Security related) that includes infrastructure decisions and you recommend anything Apple, then I must say you should look for another job; because let’s face it you’re not any good at the job you have.

    Nuf said

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Mar 3rd, 2014 @ 9:20am

    Gotta love GNU/Linux.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This