OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[RMo]

No. I can go even better.

Here's the direct link ON AN APPLE SERVER of this update.

http://swcdn.apple.com/content/down...3kflff920aj1esepak7qizc3na/AppStoreUpdate.pkg

Is that proof enough?

That is an answer to a question I did not ask. I don't doubt that the update is legitimate. I just didn't see where you said that you realized this, so I was asking you for clarification on where (in what post) you said this--and only because you incorrectly assumed and very rudely asserted that I had not read what you said.

That being said, since you got the problem solved and I was merely trying to help figure it out, that's mostly irrelevant now. Again, my apologies: nothing I remember reading made this fact clear to me.

PS - Still not sure how iOS was relevant to the OS X update.

EDIT: I see you linked now, so thanks. I'm guessing I missed the post since it was written without a quote and I therefore didn't think it would be related to anything else. Of course, my iOS confusion still stands, but as long as the problem is resolved...

----

In fact, i'm more concerned with mavericks than iOS, not just this specific issue, but lots of other ones.

Do you use your Mac a lot on public networks, then? I'm more worried about iOS since they can only be used on WiFi and I frequently use them on various public and semi-public networks. My Mac, on the other hand, while technically a laptop, usually stays at home--and while it's still vulnerable in that someone could try to work their way into my WiFi or splice their way into my home's Ethernet, I'm a little less worried about that.

 

[Smacky]

If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.

 

[tywebb13]

I just didn't see where you said that you realized this, so I was asking you for clarification on where (in what post) you said this.

The original post where I first said it was at https://forums.macrumors.com/posts/18802955/

But the post you quoted with the direct link to apple's server is probably more important now.

 

[Retired Cat]

If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.

I've been checking the threads here and elsewhere during the day, and I don't see much acceptance or defense of what is clearly a glaring and unacceptable mistake from Apple.

 

[tywebb13]

Yeah. I agree with you Retired Cat.

But what is worse is that we have been told that apple know how to fix it and have not yet released the fix.

 

[SusanK]

If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.

No tweet from Phil Schiller yet

 

[charlituna]

I'm a tad confused. What exactly is a "privileged network position"

Also many sites are claiming this is a major security issue and they are dismayed Apple allowed it etc. But what attacks have there been and verified using this issue. First time I've recall hearing about it in mass is when this update came out. I would think if some hacker pulled off an attack using it we'd have heard insane amounts about it

 

[C DM]

$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code?

Yeah, skimming often doesn't find stuff like this which is easily overlooked and hard to even come by despite being completely obvious when pointed out.

 

[charlituna]

I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5

Possibly not a mountain lion issue. But yes or no on that, the articles say the attacker has to be on the same network connection. If you are at home on a passworded wifi etc they can't do anything.

 

[castlerock]

I'm under the impression that any compromises due to this bug require an 'unsecure' wired/wireless local network. As in the unscrupulous entity must be within your network at home/Starbucks /airport etc..

Cell data appears 'safe'. If this is not the case, I'm all ears.

'Cell data appears safe' -- ahem, not if you're in Sochi, for example.

 

[charlituna]

Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this.

Actually according to articles he might be able to. Because the same network is required. You would both likely be on Starbucks public wifi so the door is unlocked allowing him to push in if he wants

If you the attacker are on Starbucks wifi and I'm on my Verizon cell data, no go. Especially if my wifi is turned off

 

[Retired Cat]

I'm a tad confused. What exactly is a "privileged network position"



Also many sites are claiming this is a major security issue and they are dismayed Apple allowed it etc. But what attacks have there been and verified using this issue. First time I've recall hearing about it in mass is when this update came out. I would think if some hacker pulled off an attack using it we'd have heard insane amounts about it

As far as I can tell, "Privileged network position" means control over a network node. That could be a router at home or at the ISP. I think that most home routers would not have the speed or capacities to fake being a bank website or something important, but I'm guessing that severs on the ISP's side could do it if hijacked and properly configured.

 

[gotluck]

'Cell data appears safe' -- ahem, not if you're in Sochi, for example.

Yea fair enough, you must be able to 'trust' the carrier

 

[MahBoi]

I'm a tad confused. What exactly is a "privileged network position"

Also many sites are claiming this is a major security issue and they are dismayed Apple allowed it etc. But what attacks have there been and verified using this issue. First time I've recall hearing about it in mass is when this update came out. I would think if some hacker pulled off an attack using it we'd have heard insane amounts about it

A privileged network position is a router or anything that the users are going to send their data through. So if you have Wireshark or something running on a computer acting as a gateway before the router, you can exploit this. Or the site on the other end can have someone sniffing data going to it and take your information.

 

[manu chao]

READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.

There can be feature changes you don't like, there can be different bugs than in previous OS that will bug you. But it's still the current OS, the only one that gets updates that fix non-security bugs. Unless you have issues with the first two points that are significant, not updating at all is not a rational decision.

So, yes, Mavericks has a bug that ML doesn't have, but then ML will have bugs that Mavericks doesn't. I don't know what version of TLS Mavericks has, but ML has an older version than iOS 7 (1.0 instead of 1.2) and is thus vulnerable to the known weaknesses of TLS that were fixed in version 1.2. Just visit this site: https://www.howsmyssl.com and see for yourself.

I just keep being amazed that people will not upgrade to a new OS because of a handful or at most a dozen of points where Mavericks might objectively be called worse than ML while ignoring the hundreds of objective improvements. It's that human weakness of being swayed by a few examples without checking whether those examples are actually representative.

There are objective reasons not to upgrade, some feature changes might objectively be to your disadvantage and if somebody will be permanently ticked off by a certain change, not upgrading might be better. And with any new things that haven't been used on a large scale, there can be new, significant bugs. But after a couple months almost all significant ones will have been discovered.

Edit: Just to underline my point: http://blog.ivanristic.com/2013/10/apple-enabled-beast-mitigations-in-mavericks.html

 

[C DM]

Presumably the ios was fixed with 7.0.6.

I'm more worried by mavericks currently being left vulnerable by apple.

When I see that apple will release a fix soon, I want it in a few minutes.

Not hours, or days.

Minutes.

That's soon.

Apple dragging their heels on this could easily land them in court if someone has had money stolen.

Welcome to the world of technology.

----------

'Cell data appears safe' -- ahem, not if you're in Sochi, for example.

Even in Sochi it's just about as safe.

 

[Matt8045]

Stock down how much Monday cause of this? 5? 10? 20 points?

 

[Rogifan]

Stock down how much Monday cause of this? 5? 10? 20 points?

It was down Thursday and Friday so will probably be up on Monday.

 

[ITGuy]

So now we know the test plans for iOS and OS X don't include checking the SSL code to ensure it actually works.

I hope Tim Cook rips the appropriate people a new one!


-ITG

 

[dazzvazz]

Apple has clumsily approached this problem. They shouldn't have released a fix until they had one for all major iOS/OSX iterations. They have essentially alerted all potential malicious users to a potentially unknown security flaw before providing a fix for all. Talk about kicking OSX users in the teeth.

I have seen the source code for this in an article elsewhere. It's good to see Apple is upholding good coding practices of using goto statements and omitting curly braces for single line if-else blocks *sarcasm*.

If they ever hope to regains trust I expect a full security overhaul the world has never seen the likes of before.

 

[uwbadger]

If it was in the App Store, it's safe. Sounds like it was an update to the App Store application itself.

Nope, that's the problem. Since SecureTransport is vulnerable and the traffic can be man-in-the-middled, you cannot be sure the App Store is safe.

 

[charlituna]

Apple has clumsily approached this problem. They shouldn't have released a fix until they had one for all major iOS/OSX iterations. They have essentially alerted all potential malicious users to a potentially unknown security flaw before providing a fix for all. Talk about kicking OSX users in the teeth.

.

But is it really such a kick. Many Mac users don't take their computers out of the house to be on easy to access networks. Same with office macs. And those folks that might take it to Starbucks or such have been warned thanks to all the coverage.

So in light of this, is the issue that huge

 

[XboxMySocks]

Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.

Essentially, it allows someone to be the middleman between an SSL encrypted server and the user. Without either end knowing.

ALMOST everything on the internet in iOS uses SSL. It's a pretty big bug.

 

[NUR6]

I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5

Is it a server?

I had the same notification on my Mac Mini Server (10.8.5) and have talked to Apple Support that said it was an update for MacOS X servers not a normal OS X update and that's why it didn't show up under the basic OS updates releases. It could also explain why it is not seen by all. I have not confirmed that with the server support folks but Apple Support tech (with supervisor consultation) were confident that if it was pushed out via the App Store is was official. The server version of the App Store is now v1.2.2 (129.16)

 

[MahBoi]

There can be feature changes you don't like, there can be different bugs than in previous OS that will bug you. But it's still the current OS, the only one that gets updates that fix non-security bugs. Unless you have issues with the first two points that are significant, not updating at all is not a rational decision.

I'll update if/when they're fixed, not at version 10.9.0. I actually tried it for a few weeks on my computer since I updated right when it came out… later, I downgraded. It's also got other bugs that happen to some people (aka me and my family) like the random logout, the huge CPU usage, the corrupted installation, and the Dock randomly switching screens when controlling with VNC. Why jump the gun on updating when you can stick with your stable OS and wait a bit?

Even then, not sure if it's worth updating unless they fix a serious problem only in 10.9 since the OS overall seems to be slower on every computer I've tried. From what I've experienced, they don't seem to have fixed anything but QuickTime Player's screen recording capability. No new features worth noting besides Activity Monitor telling you per-process network usage and Finder having a really primitive tabs feature. A few features like color labels and "open in new window" removed. Definitely no performance improvements.

----------

But is it really such a kick. Many Mac users don't take their computers out of the house to be on easy to access networks. Same with office macs. And those folks that might take it to Starbucks or such have been warned thanks to all the coverage.

So in light of this, is the issue that huge

I'm pretty sure that most Macs are MacBook Pros. Those users are taking them out to coffee shops, airports, schools, etc. But I still don't think man-in-the-middle attacks are very easy to pull off anyway. EDIT: Oh wait, someone mentioned ARP spoofing, and I checked on Wikipedia. That's scary.