Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very so

Posted:
in General Discussion edited February 2014
Apple on Saturday said it is working to fix a flaw in OS X that could in some cases allow hackers to intercept communication sent using SSL/TSL security protocols. The same error was patched in an iOS update the company rolled out on Friday.

CVE
CVE ID description for Apple's iOS security flaw.


In a statement provided to Reuters, Apple confirmed researcher findings that the same SSL/TSL security flaw fixed with the latest iOS 7.0.2 update is also present in OS X. The Cupertino company said it expects to have a software update ready for release "very soon."

"We are aware of this issue and already have a software fix that will be released very soon," said Apple spokesperson Trudy Muller.

On Friday, Apple quietly pushed out iOS 7.0.2, with accompanying release notes saying the software "provides a fix for SSL connection verification." A support document issued alongside the update read:
iOS 7.0.6

Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
End users not running the latest patched iOS software may be open to attacks when connected to a shared network. Nefarious users could potentially view, alter or download email and other data sent via the Secure Socket Link protocol, which falls under the umbrella of Transport Layer Security.

As noted in the security document, iOS Secure Transport "failed to validate the authenticity of the connection." At its core, the issue stems from the mishandling and faulty recognition of digital certificates used to establish secure encrypted connections.

In the case of iOS and OS X, Apple's implementation is missing code, causing a failure to verify these certificates. When a user visits what they believe to be a trusted site, hackers can potentially pose as a legitimate certificate holder and collect data sent over the connection before handing it off to the real site.

While it is unclear exactly when Apple discovered the flaw, the CVE (Common Vulnerabilities and Exposures) identification code for the iOS version was reserved and assigned to an unknown party on Jan. 8. The CVE is a publicly available standardized reference for known software security vulnerabilities.
«134

Comments

  • Reply 1 of 66
    solipsismxsolipsismx Posts: 19,566member
    1) Still present in latest 10.9.2 beta.

    2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.
  • Reply 2 of 66
    Seriously... 7.0.2 in the headline and every in-story reference except the copy-n-paste one from Apple?? -- Really... Where's the editorial review, guys?
  • Reply 3 of 66
    poochpooch Posts: 768member
    well, in their defense they did mention 7.0.2 three times and that does add up to 7.0.6.
  • Reply 4 of 66
    jccjcc Posts: 210member
    The headline is wrong. Don't you mean 7.0.6?
  • Reply 5 of 66
    sporlosporlo Posts: 143member

    7.0.6 :)

  • Reply 6 of 66
    rogifanrogifan Posts: 10,669member
    solipsismx wrote: »
    1) Still present in latest 10.9.2 beta.

    2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.
    Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.
  • Reply 7 of 66
    Quote:
    Originally Posted by Rogifan View Post





    Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

    Ars calls it "extremely critical." Part of the hoopla is also over the outsized impact of a simple coding mistake.

     

    http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/

  • Reply 8 of 66
    ecatsecats Posts: 272member
    The link provided for the CVE is missing a "6" on the end. (Currently links to CVE-2014-126 instead of CVE-2014-1266)
  • Reply 9 of 66
    Quote:

    Originally Posted by ECats View Post



    The link provided for the CVE is missing a "6" on the end. (Currently links to CVE-2014-126 instead of CVE-2014-1266)

     

    Yeah, this site is known for their typos.

  • Reply 10 of 66
    So which news articles have there been, before the patch was released, about actual attacks using this exploit.
  • Reply 11 of 66
    droidftwdroidftw Posts: 1,009member

    I hope this doesn't patch the MITM attack I've been using to mess with my cousin from my phone.  It's funny watching him get all worked up when I redirect his traffic.

  • Reply 12 of 66
    lkrupplkrupp Posts: 6,810member
    Quote:

    Originally Posted by charlituna View Post



    So which news articles have there been, before the patch was released, about actual attacks using this exploit.



     


    Well, that’s a point to be taken. Almost all of these so-called major flaws or bugs never see the light of day in the real world. They are just ginned up to paranoia level by trolls and security software hawkers. 
  • Reply 13 of 66
    nagrommenagromme Posts: 2,834member
    This bug does not affect pre-Mavericks users, correct? (Nor 10.9.0 users--if any? Just the current 10.9.1?)
  • Reply 14 of 66
    malaxmalax Posts: 1,598member

    It sounds like Apple fell victim to the common error discussed in this article:

     

    https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

  • Reply 15 of 66
    MarvinMarvin Posts: 14,209moderator
    charlituna wrote: »
    So which news articles have there been, before the patch was released, about actual attacks using this exploit.

    This bug appears to have been introduced in OS X in Mavericks, it's not in Mountain Lion, maybe through their back to the Mac after putting it in iOS 6/7.

    OS X 10.8 July 2012 -- iOS 6 Sept 2012 -- iOS 7 Sept 2013 -- Mavericks October 2013

    For someone to exploit this, they need to be on a network between you and your destination. If you're on your home network, that's just people on your router and your ISP. They also would need to know that the exploit exists and how to exploit it to their advantage.

    The worst case is for public wifi if you check email or do any digital banking but someone would have to be pretty much dumping all traffic from a public hotspot at all times in the hope that someone doing something worthwhile comes along with a device that had the vulnerability and then exploit it. Now that the exploit is known, it's more likely someone will try targeted attacks but they'd still be in for a long wait dumping public wifi traffic.
  • Reply 16 of 66


    Quote:
    Originally Posted by Jamescat View Post



    Really... Where's the editorial review, guys?

     

    Probably the same place Apple's code review is.

     

    Quote:

    Originally Posted by Rogifan View Post



    Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

     

    The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?

  • Reply 17 of 66

    That is what happens when you are obsessed with making the phone 0.00001mm thinner instead of taking care of things that truly matters like, you know, SECURITY!

  • Reply 18 of 66
    rogifan wrote: »
    Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.

    This article contains the code review of the Apple's SSL/TLS bug:
    https://www.imperialviolet.org/2014/02/22/applebug.html

    If this is the actual code, it means there is no unit test for it.
  • Reply 19 of 66
    nelsonx wrote: »
    That is what happens when you are obsessed with making the phone 0.00001mm thinner instead of taking care of things that truly matters like, you know, SECURITY!

    Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
  • Reply 20 of 66
    Quote:

    Originally Posted by MazeCookie View Post





    Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.

    Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!

Sign In or Register to comment.