or Connect
AppleInsider › Forums › General › General Discussion › Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very soon'
New Posts  All Forums:Forum Nav:

Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very...

post #1 of 67
Thread Starter 
Apple on Saturday said it is working to fix a flaw in OS X that could in some cases allow hackers to intercept communication sent using SSL/TSL security protocols. The same error was patched in an iOS update the company rolled out on Friday.

CVE
CVE ID description for Apple's iOS security flaw.


In a statement provided to Reuters, Apple confirmed researcher findings that the same SSL/TSL security flaw fixed with the latest iOS 7.0.2 update is also present in OS X. The Cupertino company said it expects to have a software update ready for release "very soon."

"We are aware of this issue and already have a software fix that will be released very soon," said Apple spokesperson Trudy Muller.

On Friday, Apple quietly pushed out iOS 7.0.2, with accompanying release notes saying the software "provides a fix for SSL connection verification." A support document issued alongside the update read:

iOS 7.0.6

Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.


End users not running the latest patched iOS software may be open to attacks when connected to a shared network. Nefarious users could potentially view, alter or download email and other data sent via the Secure Socket Link protocol, which falls under the umbrella of Transport Layer Security.

As noted in the security document, iOS Secure Transport "failed to validate the authenticity of the connection." At its core, the issue stems from the mishandling and faulty recognition of digital certificates used to establish secure encrypted connections.

In the case of iOS and OS X, Apple's implementation is missing code, causing a failure to verify these certificates. When a user visits what they believe to be a trusted site, hackers can potentially pose as a legitimate certificate holder and collect data sent over the connection before handing it off to the real site.

While it is unclear exactly when Apple discovered the flaw, the CVE (Common Vulnerabilities and Exposures) identification code for the iOS version was reserved and assigned to an unknown party on Jan. 8. The CVE is a publicly available standardized reference for known software security vulnerabilities.
post #2 of 67
1) Still present in latest 10.9.2 beta.

2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #3 of 67
Seriously... 7.0.2 in the headline and every in-story reference except the copy-n-paste one from Apple?? -- Really... Where's the editorial review, guys?
post #4 of 67
well, in their defense they did mention 7.0.2 three times and that does add up to 7.0.6.
"Personally, I would like nothing more than to thoroughly proof each and every word of my articles before posting. But I can't."

appleinsider's mike campbell, august 15, 2013
Reply
"Personally, I would like nothing more than to thoroughly proof each and every word of my articles before posting. But I can't."

appleinsider's mike campbell, august 15, 2013
Reply
post #5 of 67
The headline is wrong. Don't you mean 7.0.6?
post #6 of 67

7.0.6 :)

post #7 of 67
Quote:
Originally Posted by SolipsismX View Post

1) Still present in latest 10.9.2 beta.

2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.
Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.
post #8 of 67
Quote:
Originally Posted by Rogifan View Post


Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

Ars calls it "extremely critical." Part of the hoopla is also over the outsized impact of a simple coding mistake.

 

http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/

post #9 of 67
The link provided for the CVE is missing a "6" on the end. (Currently links to CVE-2014-126 instead of CVE-2014-1266)
post #10 of 67
Quote:
Originally Posted by ECats View Post

The link provided for the CVE is missing a "6" on the end. (Currently links to CVE-2014-126 instead of CVE-2014-1266)

 

Yeah, this site is known for their typos.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #11 of 67
So which news articles have there been, before the patch was released, about actual attacks using this exploit.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #12 of 67

I hope this doesn't patch the MITM attack I've been using to mess with my cousin from my phone.  It's funny watching him get all worked up when I redirect his traffic.

"Proof is irrelevant" - Solipsism
Reply
"Proof is irrelevant" - Solipsism
Reply
post #13 of 67
Quote:
Originally Posted by charlituna View Post

So which news articles have there been, before the patch was released, about actual attacks using this exploit.
 
Well, that’s a point to be taken. Almost all of these so-called major flaws or bugs never see the light of day in the real world. They are just ginned up to paranoia level by trolls and security software hawkers. 
post #14 of 67
This bug does not affect pre-Mavericks users, correct? (Nor 10.9.0 users--if any? Just the current 10.9.1?)
post #15 of 67

It sounds like Apple fell victim to the common error discussed in this article:

 

https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

post #16 of 67
Quote:
Originally Posted by charlituna View Post

So which news articles have there been, before the patch was released, about actual attacks using this exploit.

This bug appears to have been introduced in OS X in Mavericks, it's not in Mountain Lion, maybe through their back to the Mac after putting it in iOS 6/7.

OS X 10.8 July 2012 -- iOS 6 Sept 2012 -- iOS 7 Sept 2013 -- Mavericks October 2013

For someone to exploit this, they need to be on a network between you and your destination. If you're on your home network, that's just people on your router and your ISP. They also would need to know that the exploit exists and how to exploit it to their advantage.

The worst case is for public wifi if you check email or do any digital banking but someone would have to be pretty much dumping all traffic from a public hotspot at all times in the hope that someone doing something worthwhile comes along with a device that had the vulnerability and then exploit it. Now that the exploit is known, it's more likely someone will try targeted attacks but they'd still be in for a long wait dumping public wifi traffic.
post #17 of 67
Quote:
Originally Posted by Jamescat View Post

Really... Where's the editorial review, guys?

 

Probably the same place Apple's code review is.

 

Quote:

Originally Posted by Rogifan View Post

Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

 

The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?

post #18 of 67

That is what happens when you are obsessed with making the phone 0.00001mm thinner instead of taking care of things that truly matters like, you know, SECURITY!

post #19 of 67
Quote:
Originally Posted by Rogifan View Post

Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

This article contains the code review of the Apple's SSL/TLS bug:
https://www.imperialviolet.org/2014/02/22/applebug.html

If this is the actual code, it means there is no unit test for it.
post #20 of 67
Quote:
Originally Posted by NelsonX View Post

That is what happens when you are obsessed with making the phone 0.00001mm thinner instead of taking care of things that truly matters like, you know, SECURITY!

Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
post #21 of 67
Quote:
Originally Posted by MazeCookie View Post


Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.

Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!

post #22 of 67
Quote:
Originally Posted by MazeCookie View Post

Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.

There's no engineering team working on software? I wonder who wrote this code, then trained monkeys?

 

Things like security, coding style, and review are taxes. You have to pay your taxes because it's necessary, but you don't see a immediate benefit from them. If they had discipline and required braces on if statements, then the programmer would have gotten an error and instantly fixed it. The bug would have lasted a whole minute, and nobody would have ever known about it. (In the strictest organizations, those who do safety critical stuff, the coder would have had to log that error so they would have had metrics). They didn't pay their taxes, and now look what happened.

 

The product managers, design teams and engineers, and most importantly senior leadership, need to understand the value of these taxes, ensure they are paid. Otherwise they will gain a reputation of being slow and unreliable (Blackberry) or insecure (Android) and people will stop buying their products. What's the use of designing such a thin phone if nobody buys it?

post #23 of 67
Quote:
Originally Posted by NelsonX View Post

Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!
Um, the people involved with the thickness of iPhone are not the same employees involved with source code. Last time I checked mechanical engineers are not software engineers. 1rolleyes.gif
post #24 of 67
Quote:
Originally Posted by konqerror View Post

The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?
Maybe Apple should fire their entire software engineering team since, according to you, they obviously have poor engineering practices all around. What I find ironic is this apparently first appeared in iOS 6 which was released under Forstall and yet there are people who claim Apple is doomed if they don't bring Forstall back.
post #25 of 67
Quote:
Originally Posted by Rogifan View Post


Maybe Apple should fire their entire software engineering team since, according to you, they obviously have poor engineering practices all around. What I find ironic is this apparently first appeared in iOS 6 which was released under Forstall and yet there are people who claim Apple is doomed if they don't bring Forstall back.

 

Thanks for putting words in my mouth. I said the entire incident shows poor engineering practices, not that all software engineers there were bad. I didn't say anybody should be fired, but when things like this happen it starts at middle level management and above.

 

This is where Google shines, they're fundamentally run by nerds. It's also where Google fails, it seems they are more interested in the taxes, like new programming languages and codecs and HTML extensions rather than actual product development.

post #26 of 67
If this is as serious as some suggest, why hasn't Apple released a patch for Mavericks yet? One would assume if someone gets compromised it wouldn't take two seconds to file a lawsuit. I can't imagine Apple would want to expose itself to that. I guess I'm trying to understand if this really is as bad as some are suggesting, or, if it's just the weekend with nothing else to talk about and this will find its way to the back page come tomorrow when MWC starts and Samsung introduces their new phone.
post #27 of 67
Quote:
Originally Posted by Rogifan View Post

If this is as serious as some suggest, why hasn't Apple released a patch for Mavericks yet? One would assume if someone gets compromised it wouldn't take two seconds to file a lawsuit.

This was obviously not published on Apple's timeline, somebody found or exploited it. Why was the Apple TV, which doesn't have anything important on it, patched before Mavericks? If Apple was half competent and they were in control, they would have released everything at once.

 

Have you ever seen anybody sued for software defects? Microsoft? Doesn't work that way. Your license agreement in big letters says they are not liable, and there's never been a precedent for holding a company liable for negligence in consumer grade PC software.

post #28 of 67
Quote:
Originally Posted by konqerror View Post

This was obviously not published on Apple's timeline, somebody found or exploited it. Why was the Apple TV, which doesn't have anything important on it, patched before Mavericks? If Apple was half competent and they were in control, they would have released everything at once.

Have you ever seen anybody sued for software defects? Microsoft? Doesn't work that way. Your license agreement in big letters says they are not liable, and there's never been a precedent for holding a company liable for negligence in consumer grade PC software.
So let's see, Apple has poor engineering practices and is not competent or in control. Guess that means someone should be fired then?
post #29 of 67
Quote:
Originally Posted by Rogifan View Post


So let's see, Apple has poor engineering practices and is not competent or in control. Guess that means someone should be fired then?


More words in my mouth. I said Apple is not in control of the disclosure timeline of this bug. The cat got out of the bag before Apple had a chance to fully react.

 

I didn't say anybody should be fired. I am saying there are serious software engineering issues that are evident by the open source code on security critical software and a comprehensive organizational review and changes are necessary.

 

I predict your next claim is saying that I am now blaming Tim Cook on this bug, and it's not really a bug and just made up by Android fans.

post #30 of 67
Quote:
Originally Posted by konqerror View Post


More words in my mouth. I said Apple is not in control of the disclosure timeline of this bug. The cat got out of the bag before Apple had a chance to fully react.

I didn't say anybody should be fired. I am saying there are serious software engineering issues that are evident by the open source code on security critical software and a comprehensive organizational review and changes are necessary.

I predict your next claim is saying that I am now blaming Tim Cook on this bug, and it's not really a bug and just made up by Android fans.
You said: "If Apple was half competent and they were in control, they would have released everything at once." "If Apple was half competent" seems to me like you don't think they that are competent (at least in this area). I never suggested that you think someone should be fired. I said that. IF this is as serious as some suggest and millions of people are/have been at risk since iOS 6 over a line of code that should have been caught in code review, then yes I think someone should be fired over it.
post #31 of 67
Quote:
Originally Posted by Marvin View Post


The worst case is for public wifi if you check email or do any digital banking but someone would have to be pretty much dumping all traffic from a public hotspot at all times in the hope that someone doing something worthwhile comes along with a device that had the vulnerability and then exploit it. Now that the exploit is known, it's more likely someone will try targeted attacks but they'd still be in for a long wait dumping public wifi traffic.

That would explain Square sending out an iOS update alert. Finding a retailer using them as their CC processo and over wi-fi would be pretty easy. As quickly as Square responded perhaps they've already seen this vulnerability in action?

EDIT: Gruber gives a tip-of-the-hat to the tinfoilers.
http://daringfireball.net/2014/02/apple_prism
Edited by Gatorguy - 2/23/14 at 5:03am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #32 of 67
It'd be interesting to learn which applications actually really use the Security.framework where the bug resides it, besides Safari that is.

It's probably not even that critical on OSX compared to iOS (where there's little choice) since most applications rather use OpenSSL directly instead of some Apple framework...
post #33 of 67
I was most impressed that Apple had an iOS patch for this that covered iOS 6 and my aging iPhone 3gs. That's the kind of long-term support, I tell people, that puts iPhones ahead of their competition. Most smartphone makers seem to give no support once a product is discontinued.

I hope Apple does the same with the OS X patch. My MacBook, which I still find useful, won't run any OS X past Lion. It needs a patch too.
post #34 of 67
Quote:
Originally Posted by SolipsismX View Post

1) Still present in latest 10.9.2 beta.

2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.

Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!

Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
post #35 of 67
Quote:
Originally Posted by digitalclips View Post

Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!

Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!

I think it's an Apple-specific issue that time-wise began with iOS6 release.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #36 of 67
Quote:
Originally Posted by digitalclips View Post


Hopefully 10.9.2 will be released, patched, to all any day. I've lost count of the updates I've had!

Is XP SOOL I wonder? This affects all OSs doesn't it? ... so many PCs out there still using it!

 

This is an Apple specific issue entirely down to their own code. It's not a mistake in a standard or anything, it was an extra line of code unchecked and uncaught by anyone.

 

Droid, if you're intercepting ssl then it will fix that. Normal http will be as vulnerable as ever.

post #37 of 67

The tin foil hat brigade which suggests that Apple ( or an employee) added the encryption to the source file, should go onto explain why it was then published in open source.

 

We don't know if that was the actual bug, either.

I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #38 of 67

Well, you can bet that the NSA has been using this MITM attack vector to collect data from as many 'sources of interest' as possible before iOS and OS/X are patched.

post #39 of 67
Does that mean all my 1Password data being synced via iCloud was sent unencrypted under Mavericks and 7.0.x?

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #40 of 67
Quote:
Originally Posted by SolipsismX View Post

Does that mean all my 1Password data being synced via iCloud was sent unencrypted under Mavericks and 7.0.x?

 

It means that if an application used Apple's secure framework for HTTPS connections, that someone with access to your network or any network inbetween could have replaced the certificate with one they control, seeing the plain text of your communications.

 

However, 1Password could also encrypt their data on top of this, which would frustrate any analysis, and being in a position to do this would normally be something like the NSA or a poisoned open wifi AP.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very soon'