Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X
from the we're-too-cool-for-details dept
Apple on Friday issued an update that fixed a rather severe vulnerability in their SSL/TLS implementation in iOS. In short, the flaw allowed any hacker the ability to intercept data during supposedly secure and encrypted transfers when using an iPhone, iPad or iPod Touch on a public network. Estimates suggest that the vulnerability was introduced in iOS 6.0 back in September 2012 (Apple was added as a PRISM partner in October 2012, utterly circumstantial but just sayin’). After some reverse engineering of the patch, people discovered it overhauled some fairly major portions of iOS.
The bigger problem is they discovered during that analysis it also impacts Apple laptops and desktops running Apple’s OS X (there’s a few of those out there). The original bug existed for some time before being detected, and at the moment there’s not only no fix in place for laptop and desktop users, but Apple hasn’t issued any statements warning customers that everything they do at the coffee shop is potentially exposed.
Apple’s only public comment was apparently to tell Reuters on Saturday that a fix was coming “very soon.” There’s a website that allows you to check whether the flaw has been fixed yet. Unsurprisingly, Apple is taking a lot of heat on numerous fronts for not doing more (read: anything) to help potentially impacted users:
“Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?”
Perhaps silence is sexier? iPhone and iPad users should obviously update their systems ASAP, and OS X users can supposedly protect themselves by using Chrome or Firefox and disabling background services (like Mail.app or iCloud) when wandering about on coffee shop Wi-Fi. Regardless, surely the NSA, other intelligence organizations, hackers and other n’er do wells looking to nab personal data greatly appreciate Apple’s dead silence on the issue.
Who drops an SSL/TLS 0day on users at 4pm on a Friday, then spends the weekend saying a fix will be released "very soon"? Apple.
— Runa A. Sandvik (@runasand) February 24, 2014
Filed Under: encryption, ios, os x, vulnerability
Companies: apple
Comments on “Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X”
What did Apple know?
And when did they know it?
(The old questions are often the best. Those are now 40 years old and yet they still often point the way to the truth.)
It’s not a flaw. It’s a feature.
Typical Apple behavior
This is nothing new. Apple’s default response to security issues has always been to make like an ostrich and try to keep everything as quiet as possible.
Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X
Totally the right way to go
https://www.youtube.com/watch?v=U74Q9aZ4-p8
I love dead silence!
Any hacker?
My goodness. The breathlessness of the description of this vulnerability.
Any hacker is not the case here. To execute this attack you have to intercept traffic to a website, and spoof its CA certificate (although without correct key information – as that was what wasn’t being checked).
Thats not to say that an attack couldn’t be carried out by coordinated hackers who had prepared and targeted a public network being used to access a https secured site.
But attacking this vulnerability would not be trivial. Also, once an SSL session is setup with a legit sight, even with this bug, that session would be secure and free from eavesdropping.
The attack for this has to occur at SSL session configuration and handshake time. It is much harder to pull off than it is being claimed to be.
Re: Any hacker?
It actually would probably be pretty trivial to have a proxy that exploits this. You watch for requests to port 443, and when you get one you create your own separate connection to where ever they’re going, except you act as the web server. Everything gets passed back and forth like normal, except that when you get the data from the real web server or the client, you can decrypt it, then re-encrypt and send it to the client or webserver. Log everything, and then scrape the logs for usernames and password.
But you need to have control over the target’s network, which is where the difficulty is.
Re: Any hacker?
Any hacker? Actually, it’s a lot more exploitable than you think. Here’s what I’d do if I was actually a bad guy:
Step 1: Have evil app on your lappie forge responses to DNS queries. Everything goes through you. Super easy.
Step 2: Run a simple socket-level proxy on port 80 and 443. Watch traffic on any given device over port 80 until you see a user-agent go by (or just guess off the MAC address). Once you identify an Apple device, forge all SSL connections with a bogus cert. Log all headers and POST data. Maybe HTML returned from remote servers, too.
Sit in Starbucks or Paradise Bakery for a couple hours. Go home, analyze logs, mayhem ensues.
I could easily code this myself. The actual bad guys could certainly do it as well.
Re: Any hacker?
“Any hacker is not the case here.”
OK, I’ll bite. Just exactly which hackers couldn’t exploit this?
Re: Any hacker?
If you exclude mobile systems I suspect Apple hasn’t much to offer potential hackers…
Re: Any hacker?
Ever heard of phishing?
This exploit could make fishing sites appear legit.
"Silence"
This is not the serious end of the world situation people are making it out to be. If you’re actually worried that there is a hacker in the bushes behind your Starbucks specifically waiting for you,
A) Don’t Go
B) Use VPN when you get there (set it for all traffic)
C) Don’t use Safari
D) Tether to your mobile device and connect that way.
Personally if it happens to be that big a deal for you, I’d go with A.
You have nothing to fear on your home network. You have nothing to fear on your work network, and seriously, if that is that big a problem for you, you shouldn’t be on unprotected public networks to begin with!!!!
The chances of this thing actually harming you are far less than the typical FLASH Trojan.
The people bitching about this are just trying to get their names in the news. The amount of alarmist and panic, as usual, do a disservice rather than taking the opportunity to inform people.
Re: "Silence"
E) Don’t use a Mac.
Re: "Silence"
You are a muppet.
Re: "Silence"
F) Don’t listen to fanbois.
Apple products never become obsolete, they simply go out of style.
Maybe they “can’t” talk about it – know what I mean? *wink wink* *nudge nudge*.
iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes…
Re: Re:
So, the 3GS I upgraded to ios 6 … is doomed.
I figured it was anyway, the ios6 upgrade basically turned the phone into a worthless pos – it’s slower, it crashes, and now clearly it’s insecure.
Thanks Apple.
Re: Re: Re:
Ah, well, it does look like they’ve release 6.1.6 – so hopefully it will be secure “again”… but it was still a terrible upgrade for this phone.
iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes…
Safe As Ever
Don’t go out naked in public, don’t use public wifi (cell phones, even iOS devices have DATA services), use a secured open-source browser without JAVA and wipe twice after you poop. Problem solved.
My experience has been excellent with Apple so far. No infections or viruses detected or known since the Mac Plus. And when a problem was discovered (Saturday) my iOs devices all let me know I should upgrade, which I did. My experience has not been so positive with Windows. I have lost count of the number of workstations I have had to wipe clean and reinstall due to malware and virii over the past 10 years. I’ll never get those hours back. And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.
Apple 1 Windows 0
Re: Safe As Ever
“And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.”
This is the most stupid thing I’ve read so far this year.
Re: Safe As Ever
I second the AC up above, in that this is a stupid sentence
“And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.”
Whether or not he overcharged or the quality of Windows, you still willingly gave Microsoft your money, at which point, whenever Gates’s salary goes through at his bank, it becomes his money. He doesn’t need your permission to do whatever the fuck he wants with his money.
Re: Safe As Ever
If your ego must insists that your so special that he is giving away your money you gave to him, then you could make yourself feel better and that small amount of money you gave to him fed and clothed one of his children, it was the other saps money that he gave away.
You could also save yourself some time writing such pointless posts and never buy another Microsoft product, or any product for that matter, that you feel is over priced again…wow, problem solved! wasnt that simple. Even though you have a big ego, it doesn’t have much in the way of brains.
You are a perfect example of a applefan, thank you for reinforcing the egoistical ignorant stereotype that is a mac user..fucking hilarious
Re: Re: Safe As Ever
Admittedly at fan, but only because Apple earned it. I also know that no system is fully secure. But some systems are more secure than others. And that is a fact.
Re: Re: Re: Safe As Ever
Right, which is why anyone who knows anything about security does not use Apple.
They provide no vulnerability database
They provide no timely fixes
Jacob Appelbaum sez “.. or perhaps it’s because they [Apple] write shitty software, we know that’s true!”
Re: Re: Re:2 Safe As Ever
That’s a bit off. They are apart of US-CERT and supply vulnerabilities to the CVEs.
EX: http://cve.mitre.org/data/refs/refmap/source-APPLE.html
As for timely fixes, well, they have lacked in that department, which is why many security people now use third party package managers like HomeBrew, MacPorts, Fink, etc…
Re: Re: Re: Safe As Ever
“But some systems are more secure than others. And that is a fact.”
That is true, but Apple is not inherently more secure than the other common consumer OSes. Including Windows.
The reason Apple is remaining so quiet is that this was an Alphabet Agency backdoor and they (inlc. Apple) are scrambling to figure out what to do.
Re: Re:
Exec 1: Okay people, we’ve got a bit of a situation here. A huge vulnerability in our OS has been made known, and the public is demanding answers.
Now, normally, this wouldn’t be a big deal, just patch it and we’d be good, but it’s come to our attention, strictly through ‘unofficial’ channels mind, that the NSA and a few other agencies have been using this exploit to gather intel and/or pass the time spying on people, and they’d probably be less than thrilled to have their backdoor access closed off like that.
However, if we don’t patch it, we run the risk of angering people and potentially losing customers. Ideas?
Exec 2: Losing customers?
Exec 1: Yes, that’s what I said.
Exec 2: Apple customers?
Exec 1: Yes. Look, I really don’t see what you’re… oh, right, good point.
Exec 2: Yeah, we’re talking about people willing to shell out a couple hundred bucks on practically a yearly basis, just because we slapped a slightly higher number on our ‘new and improved’ iWhatever, and they absolutely must have the newest model, a ‘piddly’ security flaw like this will be nothing to them, and certainly not enough to keep them from buying our stuff.
But but but...
Windows has viruses! Apple doesn’t! So there!
Re: But but but...
Damn… I swear I hadn’t read AC’s comment when I wrote this.
dead silence may solve the problem!
Re: Re:
you mean “silent death”
But but but
MAC’s dont have exploits and viruses. /s
uh… maybe because a fix to something this serious needs to be QAed more than five minutes? maybe the flaw was bigger than reported, and took more effort than just turning back an update?
maybe it is here, now:
http://gizmodo.com/the-fix-for-apples-scary-os-x-security-flaw-is-here-1529636089
Just as a side note, patch for Goto is out with 10.9.2 now:
Software Update Tool
Copyright 2002-2012 Apple Inc.
Finding available software
Software Update found the following new or updated software:
* OSXUpd10.9.2-10.9.2
OS X Update (10.9.2), 449548K [recommended] [restart]
http://www.tuaw.com/2014/02/25/os-x-update-10-9-2-now-available/
Apple is a real innovator sometimes; they are also notoriously slow when it comes to patching of their flaws! Let?s face it all OS?s have flaws; I mean it is well documented in the NVD. Even embedded processing OS?s like VXworks, have issues.
However, read the report timeline on (CVE-2013-0984) Directory Service buffer overflow flaw and you will see a prime example of how Apple ?handles? the security flaws in their products from both an ?urgency? and ?responsibility? perspective. Oh you say that was an old release? 2009 is old? Apple loves you folks, always willing to part with (much) more cash to get the latest Apple ?thing?. Wait Apple has canned support for that OS right?? Why yes they did, you just didn?t hear about it until it was a done deal?again typical Apple!! But wait Apple has given you access to their new and improved OS X 10.9.2 (Mavericks) for FREE?and it fixes the ?gotofail? bug we are talking about!!! Yeah for Apple!! Wait?hold the press? there have already been CVE?s (yes plural) reported for it?DANG it now what?!? Hey I know, let?s all just take an Apple approach to problems and just pretend they don?t exist until there is no longer any way to hide them. That will work, I mean I?m sure Apple keeps quiet about this stuff so the bad guys don?t find out?Oh you mean the bad guys have the same access to the PUBLIC database of security flaws that sometimes include proof of concept code, or at least a technical description of the attack?!?
But in all seriousness IF you hold a job (Security related) that includes infrastructure decisions and you recommend anything Apple, then I must say you should look for another job; because let?s face it you?re not any good at the job you have.
Nuf said
Gotta love GNU/Linux.