OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[longofest]

I have another question related to this:

Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

My home router is only used by myself and family members. If I am fairly sure that my personal router is secure, was I safe? I use only my home WiFi and mobile phone service provider to connect to the Internet. I've never used any WiFi hotspots.

Yes, though generally services like twitter have pretty geographically distributed systems so it should not take many hops in order for your information to get to the twitterverse. Still, until it is at the destination, it is vulnerable.

Cannot stress enough how major of a flaw this is.

 

[vpndev]

true, but ...

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.

From what I've seen, the bug is indeed in the OS X framework.

However, OP is OK because apparently Chrome does NOT use that and comes with its own SSL package. In this particular case, one particular browser [at least] is not affected by the bug.

----------

Except Chrome doesn't use ... so I don't use it.

For me, the biggest reason to use Chrome is that it has Flash bundled in, so I do NOT have to have that POS installed generally on my system.

 

[Rigby]

However, OP is OK because apparently Chrome does NOT use that and comes with its own SSL package. In this particular case, one particular browser [at least] is not affected by the bug.

While the browser may not be affected, most people have more apps and services running on their Macs that use SSL, both actively (e.g. mail clients) and in the background (e.g. iCloud and OS update checks). So, just because you use Chrome or Firefox doesn't mean that you are safe.

 

[stars_fan]

The inconvenience factor of this bug is very high. I probably have 10 or more passwords that were possibly exposed as a result of this, which means having to generate a whole new set and remember all of them.

I changed a handful of important ones today, but not all, since I would not be able to remember a large # of changes. 2-step verification gives some peace of mind on some accounts. Even if the passwords were stolen I'd at least get an alert that someone was trying to break in.

::

The key word possibly. Unless you're cluelessly connecting your devices to random wifi or wired networks you should be just fine.

 

[sjinsjca]

The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly.

That's a very good point. Folks who reflexively click to bypass the invalid-certificate warning are blithely accepting the same thing that has the intertubes in a lather today.

 

[dannys1]

It's actually very hard for the average Joe to perform this attack at Starbucks, as well as pretty much all common public wifi networks, such as McDonalds or airports. Most of these networks have layers that make it very difficult. Access to the router would be the easiest way.

So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.

Its not that hard at all, and these people will now be targeting wifi spots. I have a friend that has a wifi transmitter which sends out common SSIDs. For instance Apple have the same SSIDS in all their stores, all he does is create that one and all iPhones are automatically connecting to him! He could easily do it in Starbucks, name it the same SSID and redirect traffic through his so the visitor knows no difference.

 

[kensic]

when are they going to fix this?

 

[C DM]

when are they going to fix this?

Based on the article, seems like soon.

 

[08380728]

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.

Yeah, OpenSSL, but it doesn't affect the official OpenSSL release, only Apple's version which they shouldn't be tampering with anyway, they aren't security experts.

 

[tywebb13]

First, the mac app store update is legitimate. I have the direct link for it which comes from an apple server. It shows up in the mac app store for mountain lion, but not for mavericks.

Second, I hope apple release a security update for 10.9.1 instead of rushing out 10.9.2. I tested 10.9.2 build 13C62 and that is vulnerable too. So they should fix it in the next beta for 10.9.2, but making 10.9.2 publicly available is not a good solution, given that there is still more beta testing for other unrelated issues going on for 10.9.2.

 

[ugcop]

Much to do about nothing on IOS devices. Not to worry, Safari will crash before any damage can be done.

 

[naeS1Sean]

Is that Apples "very soon"? Or real very soon...

 

[tywebb13]

They should have released it the same day as ios 7.0.6.

So their very soon is my very late.

 

[Retired Cat]

Its not that hard at all, and these people will now be targeting wifi spots. I have a friend that has a wifi transmitter which sends out common SSIDs. For instance Apple have the same SSIDS in all their stores, all he does is create that one and all iPhones are automatically connecting to him! He could easily do it in Starbucks, name it the same SSID and redirect traffic through his so the visitor knows no difference.

I spent an hour or two after dinner researching this bug, and I'm astounded at how a single redundant line of code can render the entire authentication system open to attack.

This should have been easy to spot. Someone stepping through the code would have realized what would happen: that the Certificate would never be checked.

What I'd like to know now is whether anyone suffered monetary loss because of a criminal using this exploit. Or if governments used it to spy on people.

 

[tywebb13]

And would apple be liable for damages? Maybe. Certainly if Apple have a fix for it and have not yet released it, the time in between when they knew how to fix it and public release could land them in court.

So far we know apple know how to fix it - and have not yet released the fix. In the mean time people are running vulnerable systems - possibly having money stolen from them.

 

[RMo]

This is what I got…. see attached. I found nothing on the Apple's security updates list…… is has the latest iOS 7.0.6

Your attachment is for the Mac App Store, an OS X app update. How is that related to iOS 7.0.6?

I'm not using 10.8 on any of my machines anymore, but I've never seen a Mac App Store update in the Mac App Store. However, I don't doubt that Apple could do this--I just don't think they ever have on 10.9 or on 10.8 before the release of 10.9 when I upgraded. You should have found a link to a KB article on Apple's site in the release notes or changelog that you could have followed to see more.* If it's listed on Apple's site, I'd say it's legit. And regardless, I've also never seen any sort of attack like this if it's not legit, but I guess there's a first for everything.

*Well, there should be--except if the update is new enough they don't always have it listed yet, in my experience, or their link may be broken.

PS - Is there some reason you type in a bold font by default?

 

[pierino84]

$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code?

 

[tywebb13]

Your attachment is for the Mac App Store, an OS X app update. How is that related to iOS 7.0.6?

I'm not using 10.8 on any of my machines anymore, but I've never seen a Mac App Store update in the Mac App Store. However, I don't doubt that Apple could do this--I just don't think they ever have on 10.9 or on 10.8 before the release of 10.9 when I upgraded. You should have found a link to a KB article on Apple's site in the release notes or changelog that you could have followed to see more.* If it's listed on Apple's site, I'd say it's legit. And regardless, I've also never seen any sort of attack like this if it's not legit, but I guess there's a first for everything.

*Well, there should be--except if the update is new enough they don't always have it listed yet, in my experience, or their link may be broken.

PS - Is there some reason you type in a bold font by default?

Didn't you read my post?

I said the mac app store update is legitimate, and I have proof of that.

(Oh why do I have to repost for people who don't read my posts?)

----------

Just in case you missed that, here it is again:

Didn't you read my post?

I said the mac app store update is legitimate, and I have proof of that.

(Oh why do I have to repost for people who don't read my posts?)

 

[Retired Cat]

Another question I have: how does this bug affect the integrity of the iOS App Store? Could the App Store be spoofed and a fake store give out bad apps?

I remember reading that the legit Apps are digitally signed though… hopefully does this mean they are safe?

 

[gotluck]

I'm under the impression that any compromises due to this bug require an 'unsecure' wired/wireless local network. As in the unscrupulous entity must be within your network at home/Starbucks /airport etc..

Cell data appears 'safe'. If this is not the case, I'm all ears.

 

[RMo]

Didn't you read my post.

I said the mac app store update is legitimate, and I have proof of that.

(Oh why do I have to repost for people who don't read my posts?)

Much more effective would be linking to the post where you said that, because if it is the one that I quoted, it was not very clear at all. Specifically, saying " I found nothing on the Apple's security updates list" still sounds like you're not sure, so my apologies for trying to help clarify that.

And none of this clears up why you're referencing iOS in the context of an OS X update.

 

[tywebb13]

Another question I have: how does this bug affect the integrity of the iOS App Store? Could the App Store be spoofed and a fake store give out bad apps?

I remember reading that the legit Apps are digitally signed though… hopefully does this mean they are safe?

Presumably the ios was fixed with 7.0.6.

I'm more worried by mavericks currently being left vulnerable by apple.

When I see that apple will release a fix soon, I want it in a few minutes.

Not hours, or days.

Minutes.

That's soon.

Apple dragging their heels on this could easily land them in court if someone has had money stolen.

 

[Rigby]

Another question I have: how does this bug affect the integrity of the iOS App Store? Could the App Store be spoofed and a fake store give out bad apps?

I remember reading that the legit Apps are digitally signed though… hopefully does this mean they are safe?

Yes, this is correct (unless you have jailbroken your device, which disables the signature check).

 

[Tech198]

oh oh... that's not good a SSL issue



In fact, i'm more concerned with mavericks than iOS, not just this specific issue, but lots of other ones..

How do we know SSL is the only one ? There could be many others Apple doesn't know about...

And frankly , i'm not even the bit surprised if there was more to come.

 

[tywebb13]

Much more effective would be linking to the post where you said that

No. I can go even better.

Here's the direct link ON AN APPLE SERVER of this update.

http://swcdn.apple.com/content/down...3kflff920aj1esepak7qizc3na/AppStoreUpdate.pkg

Is that proof enough?