OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[Rigby]

I have another question related to this:

Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

It is unlikely (with the exception of certain "agencies" that maintain sniffing equipment withing the Internet's routing infrastructure).

 

[Reason077]

I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.

The bug is not present in Mountain Lion or earlier. It affects iOS 6 & 7, and OS X Mavericks.

 

[coolfactor]

I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5

Was the actual name, exactly like this: "Mac App Store update 1.0"

If so, there's some things to pay attention to.

1. Apple would never write the name like that, with a lowercase "u".
2. What were the change notes?
3. There hasn't been an update to the Mac App Store application for Mavericks in the last 30 days.

 

[petsounds]

Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

Well, anyone with physical access to the fiber carrying your data packets could intercept them. And that's how the NSA scrape raw internet data packets. There's a trust relationship inherent in how the internet works. So theoretically, sure, some IT guy at an ISP or backbone provider could snoop into your data. I believe they could use this exploit as well, but I'm not an expert on these kinds of MITM attacks.

 

[Reason077]

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.

Actually, Chrome and Firefox do not use the OS X-provided framework (SecureTransport), they use a different implementation (NSS). So they are not affected.

 

[petsounds]

Actually, Chrome and Firefox do not use the OS X-provided framework (SecureTransport), they use a different implementation (NSS). So they are not affected.

Ah, yeah I was thinking about that as I posted, thanks for clarifying. Makes sense considering those are cross-platform apps.

 

[coolfactor]

The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly.

That may be the case, but there is also a difference between "certificate invalid" and "certificate not verified". That second warning comes up for self-signed certificates, which are just as secure as verified certificates, but don't have a 3rd-party verifier. That's the only difference. I suspect you were referring to that second type of warning. It's not a concern. Some companies just don't obtain their certificates from verified issuers. It doesn't mean the network communications are any less secure.

 

[zorinlynx]

The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly.

I sure as hell do.

If I get an invalid certificate error on a site where security matters, I stop right there and don't do anything else.

I've never actually gotten one on a site where security matters. 100% of all the invalid SSL cert errors I've gotten have been when browsing to random sites online where I don't even have to log into anything to read what I want to read. In these cases I just ignore the warnings.

 

[MahBoi]

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.

Except Chrome doesn't use those core frameworks. It also doesn't seem to use the Keychain, which ticks me off, so I don't use it.

 

[zorinlynx]

That may be the case, but there is also a difference between "certificate invalid" and "certificate not verified". That second warning comes up for self-signed certificates, which are just as secure as verified certificates, but don't have a 3rd-party verifier. That's the only difference. I suspect you were referring to that second type of warning. It's not a concern. Some companies just don't obtain their certificates from verified issuers. It doesn't mean the network communications are any less secure.

Actually it does matter for the first time you connect to the site.

If the cert is not signed, you might become victim of a man in the middle attack because you have no way of knowing who signed that certificate.

This only matters for the FIRST time though. Once you tell it to accept the self signed cert, if the cert CHANGES (IE, a MIM attack takes place) you will be notified. This is the security I use with my personal domain.

 

[MahBoi]

I sure as hell do.

If I get an invalid certificate error on a site where security matters, I stop right there and don't do anything else.

I've never actually gotten one on a site where security matters. 100% of all the invalid SSL cert errors I've gotten have been when browsing to random sites online where I don't even have to log into anything to read what I want to read. In these cases I just ignore the warnings.

I think you see the error if the site didn't pay the money to get the certificate signed by some authority. But I've seen those errors even on Google a few years ago. Also sometimes when I send emails. I'd stop if it was on TDAmeritrade.com or PayPal

----------

That may be the case, but there is also a difference between "certificate invalid" and "certificate not verified". That second warning comes up for self-signed certificates, which are just as secure as verified certificates, but don't have a 3rd-party verifier. That's the only difference. I suspect you were referring to that second type of warning. It's not a concern. Some companies just don't obtain their certificates from verified issuers. It doesn't mean the network communications are any less secure.

Ah, that explains it. Pretty sure I was getting the "not verified" errors.

 

[Xe89]

Was the actual name, exactly like this: "Mac App Store update 1.0"

If so, there's some things to pay attention to.

1. Apple would never write the name like that, with a lowercase "u".
2. What were the change notes?
3. There hasn't been an update to the Mac App Store application for Mavericks in the last 30 days.

No, that was not the actual name. I'm using Swedish as system language so the actual name was Mac App Store-uppdatering 1.0. That is correct spelling.

I don't know the exact change notes, but they were about improved notifications. The update was listed under Software Update and required a restart.

But as other have pointed out, Mountain Lion seems to be safe so I'm not worried.

 

[theheadguy]

This title is misleading. People still using Safari are at risk, not people using Chrome on OS X.

 

[C DM]

It's def a recent fix, it's not in 7.1B5

Hopefully they'll release an iOS 7.1 beta (or perhaps even a GM) update very soon with this patches in it.

 

[haravikk]

I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.

I don't think Mountain Lion needs to be; I just went to the test site on my main computer, which I'm still delaying upgrading to Mavericks (hoping to just get a new computer instead) and it is reported as not vulnerable.

There must have been some kind of change to how SSL is handled in Mavericks, and for some reason the correct behaviour is either buggy or missing.

 

[C DM]

READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.

With this being there for a while without it being know at all or at least publicly known, what are the chances that there aren't other security issues present in earlier OS X versions? Practically no software is fully secure, especially something as large and complex as an OS.

 

[LV426]

This title is misleading. People still using Safari are at risk, not people using Chrome on OS X.

That post is misleading. Your computer does a lot more than run a browser. SSL is used all over the place.

 

[jlnr]

There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.

10.9 is not even on the majority of Macs:

http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

...and after this bug, I feel even dumber for upgrading at .1 and not .2

(Edit: I hope this link works. It worked for me for the first time, now it wants me to sign up?)

 

[MikhailT]

Actually, Chrome and Firefox do not use the OS X-provided framework (SecureTransport), they use a different implementation (NSS). So they are not affected.

Right, his point is that it's not a simple bug that affects Safari only but any apps that also use the same SecureTransport APIs. It's a core OS X bug, not a Safari bug.

This title is misleading. People still using Safari are at risk, not people using Chrome on OS X.

It's a core system bug, not a Safari bug. Any apps using SecureTransport APIs are affected. Chrome/Firefox are not using SecureTransport, they're using NSS instead.

Therefore it is not misleading at all.

 

[MahBoi]

With this being there for a while without it being know at all or at least publicly known, what are the chances that there aren't other security issues present in earlier OS X versions? Practically no software is fully secure, especially something as large and complex as an OS.

Security flaws don't matter unless someone who would exploit them knows about them. Look, SHA2 is vulnerable too! I mean, if someone can figure out how to crack it. It hasn't been mathematically proven to be safe.

Anyway, you'll run into fewer bugs and vulnerabilities if you use the most recent revision of the second most recent Mac OS X rather than the latest version there is. I don't know why I impulsively updated to 10.9.0 when it first came out, but that was a serious mistake.

 

[Msail30bay]

I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5

I just checked mine and yes, it saying the same thing……. double check on Apple support/software updates page to see IF they listed it…….. going to do that….. I get lazy about opening the App Store to check for update, so lesson learned.

 

[C DM]

Security flaws don't matter unless someone who would exploit them knows about them. Look, SHA2 is vulnerable too! I mean, if someone can figure out how to crack it. It hasn't been mathematically proven to be safe.

Anyway, you'll run into fewer bugs and vulnerabilities if you use the most recent revision of the second most recent Mac OS X rather than the latest version there is. I don't know why I impulsively updated to 10.9.0 when it first came out, but that was a serious mistake.

There can be some that are known to some that can be exploited but aren't known publicly or by Apple. Like perhaps this one was for a while until it was actually worked on and patched. Hard to really know all of this in a lot of the cases.

They could have just as easliy found something suddenly that affects Lion and Mountain Lion but doesn't affect Mavericks because of some change there that makes it not affected. Things like that happen all the time too. Like an IE patch that was released just this week to plug a hole in IE 9 and 10 while the most recent and fairly young IE 11 is not affected by the exploit.

 

[Msail30bay]

Was the actual name, exactly like this: "Mac App Store update 1.0"

If so, there's some things to pay attention to.

1. Apple would never write the name like that, with a lowercase "u".
2. What were the change notes?
3. There hasn't been an update to the Mac App Store application for Mavericks in the last 30 days.

This is what I got…. see attached. I found nothing on the Apple's security updates list…… is has the latest iOS 7.0.6

 

[NMBob]

Mountain Lion doesn't appear to have this bug.

Same here. Safari 6.1.1 (857.73.11) on my ML MacBook says it's OK, but 7.0.1 (9537.73.11) on my Mavericks iMac says it's bad -- even though the Safari version doesn't matter, it just shows the problem. I KNEW Mavericks was bad (I don't like it). My iPad Air says it's OK after 7.0.6.

 

[Retired Cat]

Wait, so now I have to upgrade my iPhone and rejailbreak it. Aaaaghhhhhhh!

The inconvenience factor of this bug is very high. I probably have 10 or more passwords that were possibly exposed as a result of this, which means having to generate a whole new set and remember all of them.

I changed a handful of important ones today, but not all, since I would not be able to remember a large # of changes. 2-step verification gives some peace of mind on some accounts. Even if the passwords were stolen I'd at least get an alert that someone was trying to break in.

::