Apple confirms OS X contains same SSL security flaw patched with iOS 7.0.6, says fix coming 'very so
Apple on Saturday said it is working to fix a flaw in OS X that could in some cases allow hackers to intercept communication sent using SSL/TSL security protocols. The same error was patched in an iOS update the company rolled out on Friday.
CVE ID description for Apple's iOS security flaw.
In a statement provided to Reuters, Apple confirmed researcher findings that the same SSL/TSL security flaw fixed with the latest iOS 7.0.2 update is also present in OS X. The Cupertino company said it expects to have a software update ready for release "very soon."
"We are aware of this issue and already have a software fix that will be released very soon," said Apple spokesperson Trudy Muller.
On Friday, Apple quietly pushed out iOS 7.0.2, with accompanying release notes saying the software "provides a fix for SSL connection verification." A support document issued alongside the update read:
As noted in the security document, iOS Secure Transport "failed to validate the authenticity of the connection." At its core, the issue stems from the mishandling and faulty recognition of digital certificates used to establish secure encrypted connections.
In the case of iOS and OS X, Apple's implementation is missing code, causing a failure to verify these certificates. When a user visits what they believe to be a trusted site, hackers can potentially pose as a legitimate certificate holder and collect data sent over the connection before handing it off to the real site.
While it is unclear exactly when Apple discovered the flaw, the CVE (Common Vulnerabilities and Exposures) identification code for the iOS version was reserved and assigned to an unknown party on Jan. 8. The CVE is a publicly available standardized reference for known software security vulnerabilities.
CVE ID description for Apple's iOS security flaw.
In a statement provided to Reuters, Apple confirmed researcher findings that the same SSL/TSL security flaw fixed with the latest iOS 7.0.2 update is also present in OS X. The Cupertino company said it expects to have a software update ready for release "very soon."
"We are aware of this issue and already have a software fix that will be released very soon," said Apple spokesperson Trudy Muller.
On Friday, Apple quietly pushed out iOS 7.0.2, with accompanying release notes saying the software "provides a fix for SSL connection verification." A support document issued alongside the update read:
End users not running the latest patched iOS software may be open to attacks when connected to a shared network. Nefarious users could potentially view, alter or download email and other data sent via the Secure Socket Link protocol, which falls under the umbrella of Transport Layer Security.iOS 7.0.6
Data Security
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
As noted in the security document, iOS Secure Transport "failed to validate the authenticity of the connection." At its core, the issue stems from the mishandling and faulty recognition of digital certificates used to establish secure encrypted connections.
In the case of iOS and OS X, Apple's implementation is missing code, causing a failure to verify these certificates. When a user visits what they believe to be a trusted site, hackers can potentially pose as a legitimate certificate holder and collect data sent over the connection before handing it off to the real site.
While it is unclear exactly when Apple discovered the flaw, the CVE (Common Vulnerabilities and Exposures) identification code for the iOS version was reserved and assigned to an unknown party on Jan. 8. The CVE is a publicly available standardized reference for known software security vulnerabilities.
Comments
2) As bad as this bug is I would wager that a person using it to read data you assumed secured is very remote.
7.0.6
Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.
Ars calls it "extremely critical." Part of the hoopla is also over the outsized impact of a simple coding mistake.
http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/
The link provided for the CVE is missing a "6" on the end. (Currently links to CVE-2014-126 instead of CVE-2014-1266)
Yeah, this site is known for their typos.
I hope this doesn't patch the MITM attack I've been using to mess with my cousin from my phone. It's funny watching him get all worked up when I redirect his traffic.
So which news articles have there been, before the patch was released, about actual attacks using this exploit.
It sounds like Apple fell victim to the common error discussed in this article:
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
This bug appears to have been introduced in OS X in Mavericks, it's not in Mountain Lion, maybe through their back to the Mac after putting it in iOS 6/7.
OS X 10.8 July 2012 -- iOS 6 Sept 2012 -- iOS 7 Sept 2013 -- Mavericks October 2013
For someone to exploit this, they need to be on a network between you and your destination. If you're on your home network, that's just people on your router and your ISP. They also would need to know that the exploit exists and how to exploit it to their advantage.
The worst case is for public wifi if you check email or do any digital banking but someone would have to be pretty much dumping all traffic from a public hotspot at all times in the hope that someone doing something worthwhile comes along with a device that had the vulnerability and then exploit it. Now that the exploit is known, it's more likely someone will try targeted attacks but they'd still be in for a long wait dumping public wifi traffic.
Really... Where's the editorial review, guys?
Probably the same place Apple's code review is.
Quote:
Just exactly how serious is this? The threads at Mac Rumors make it seem like the biggest breach in the history of software.
The worst part about it is it's a simple, fairly obvious typo (presumably). It shows poor software engineering practices at Apple all around: a coding style that's inconsistently applied throughout the file, poor code review, and poor software testing. And the worst part of it is that it's on a security critical piece of software which should have been third-party audited. If they can't get this right, what else is wrong?
That is what happens when you are obsessed with making the phone 0.00001mm thinner instead of taking care of things that truly matters like, you know, SECURITY!
This article contains the code review of the Apple's SSL/TLS bug:
https://www.imperialviolet.org/2014/02/22/applebug.html
If this is the actual code, it means there is no unit test for it.
Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
Just so you're aware, the engineering team, design team and marketing team do not work on iOS's code.
Really? I didn't know that! So, I guess they don't all work for Apple. Probably the iOS code is some kind of external OS and Apple has nothing to do with it. I that case I have no complains at all. It's not Apple fault. Not their OS, sorry! Please Apple, please, concentrate all of your resources to make the next iPhone 0.00000001 mm thinner! That's what I really want!