Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

[Tech198]

Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.

I would of thought this would be the sensible thing to have done, rather than reply on all affected to resubmit for approval.

If it's a known issue, there there is window of opportunity for the time Apple doesn't take action (unless they have no idea).

Actually, the Guest account if "Off" by default after installation.

I doubt someone could fake your own wi-fi, since for that to happen they'd need your wi-fi password... something i treat as much as getting a Gold iPhone

Either way, this is just a better reason to think about using 10.x now.
Being on the same network.... is of not ssue to me. since i never allow anyone on my wifi network, nor do i join unknown hotspots i do not control, this includes open hotspots (aka, the only one i use is sometimes over iPhone cellular.) But I would think i'm safe even on there. yes?

 

[H2SO4]

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.

If my house has a crappy lock on it does the insurance company say the house is insecure? I believe they do.
Apple have blocked insecurities in the past when they want to, (think Flash), so they slipped up here?

 

[3282869]

Not op, but http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

The trick here is that they say "OS X", as it could be any of them! On the other hand, each Windows version is treated separately.

Interesting, I have never heard of GFI until now. Bookmarked it.

One issue: they lump OS X into one category while Windows and others are broken down by release. That creates statistical swiss cheese. Break it down by which OS X variants and what exploits for each.

 

[KALLT]

Just exactly how big of an issue is this really? Should I delete "Movies" by Flixter from devices, for instance?

No, I don’t think that is necessary, but it depends. Basically, whenever you transmit data over an unencrypted connection, you are exposing that data to potential man-in-the-middle attacks when connected to public networks. This risk doesn’t have to be critical, but it can be. If you are transmitting very sensitive information, like in a banking app, then this is a serious issue. However, apps like Movies by Flixter are hardly worth the effort, since the reward for such an attack is minimal.

It is generally good to be cautious about public networks. Preferably, use VPNs when connected to a public network and use unique passwords for accounts, so that the security of your other services is not jeopardised.

If my house has a crappy lock on it does the insurance company say the house is insecure? I believe they do.
Apple have blocked insecurities in the past when they want to, (think Flash), so they slipped up here?

You are not going to blame the builder of the house for that, but the seller of the doorlock.

 

[chrfr]

Interesting, I have never heard of GFI until now. Bookmarked it.

One issue: they lump OS X into one category while Windows and others are broken down by release. That creates statistical swiss cheese. Break it down by which OS X variants and what exploits for each.

Again, at the bottom of the page, the Windows counts are aggregated. It is not a total of all the Windows exploits.

 

[brohan711]

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.

The developers of the applications are not necessarily at fault here.

The library is an open source library where the flaw was one line of code and the fix was released yesterday.

https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3

The release/patch was published yesterday. In that time Apple can't approve 1500 developers updated apps.

Heck the tests for this fix was pushed in that release as well. Something that didn't exist before.

If any one is at fault it would be the community of developers for AFNetworking.

But assigning blame is not whats best. Everyone should rather work quickly to get everything updated as soon as possible.

 

[nazaar]

is it me or does iOS and OS X have more issues than usual recently?

Especially iOS

 

[elmateo487]

I would of thought this would be the sensible thing to have done, rather than reply on all affected to resubmit for approval.

If it's a known issue, there there is window of opportunity for the time Apple doesn't take action (unless they have no idea).

Actually, the Guest account if "Off" by default after installation.

I doubt someone could fake your own wi-fi, since for that to happen they'd need your wi-fi password... something i treat as much as getting a Gold iPhone

Either way, this is just a better reason to think about using 10.x now.
Being on the same network.... is of not ssue to me. since i never allow anyone on my wifi network, nor do i join unknown hotspots i do not control, this includes open hotspots (aka, the only one i use is sometimes over iPhone cellular.) But I would think i'm safe even on there. yes?

It's much easier than you think man. If you have ever connected to a public wifi you are at risk.

https://scotthelme.co.uk/wifi-pineapple-karma-dnsspoof/

----------

The developers of the applications are not necessarily at fault here.

The library is an open source library where the flaw was one line of code and the fix was released yesterday.

https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3

The release/patch was published yesterday. In that time Apple can't approve 1500 developers updated apps.

Heck the tests for this fix was pushed in that release as well. Something that didn't exist before.

If any one is at fault it would be the community of developers for AFNetworking.

But assigning blame is not whats best. Everyone should rather work quickly to get everything updated as soon as possible.

This is EXACTLY what I was thinking

 

[Sasparilla]

is it me or does iOS and OS X have more issues than usual recently?

Especially iOS

I think they've been there all along, we just didn't realize it till the last couple of years. iOS was supposedly easy pickens prior to v8 (the NSA internally referred to iOS users as zombies) - companies (more than one) sold commercial products to compromise & access all user data on iOS devices.

iOS 8 is tightened things down alot more than prior releases (thanks to Apple's efforts but also to individuals pointing out the large security holes - with the public attention helping to get them closed), but this is going to be an ongoing battle...and Apple needs to change their culture (whether they want it or not, Apple is at war versus hacker's and government(s) - which want compromises in all devices).

 

[kwokaaron]

I'm still pretty annoyed that they didn't bother releasing the Rootpipe fix for older OSes, regardless of how significant it is. Oh well, looks like it didn't fix Yosemite anyway so all is good lol.

 

[Crosscreek]

Ugh. I've been using OS X for over a decade, the day any AntiVirus software is needed (i.e. a must), I'll die a little inside.

Slightly OT: My friends and I joke about who has time to create viruses/worms/etc. They aren't getting paid to spend hours a day for weeks, sometimes longer, to create a virus that normally holds little financial access/gain. One NYE, I was in SLC skiing with friends (and friends of friends) from SF and London, one of them worked in marketing for McAfee or such. Talking about viruses, we joked about who makes them and kidded it was the AntiVirus companies in order to create a market for their product. The guy from McAfee looked away and sipped his beer in a not so subtle way of suggesting truth, although I'm sure he was kidding... right?

I do agree with you. I think they do create viruses to sell their product. I haven't had any attacks for a few days but I continue to monitor because no OS is impenetrable.

 

[till213]

'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

1. Go to any public place (restaurant, train station, airport, ...)
2. Setup your own Wi-Fi hotspot, no password set
3. Don't call it EvilNetwork, but rather...
4. "Free WiFi"

Be surprised how many people will willfully connect to that "fake" Wi-Fi hotspot...

 

[samcraig]

0.107% of the apps are impacted. If you use 1.4 million as the total number of apps.

Am I underestimating the monumental risk here?

edit: not referring to rootpipe, that IS an issue.

It's not the # of apps - it's WHICH apps. And right there in the article, it states "and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc."

I would say that those are some widely used apps. So yes - there could be a significant risk.

 

[Tech198]

I kind of take light to the whole NSA and 'zombie' notion... although if the suggestive measure here is everyone Apple user believes one company, or does what they say, then the NSA's been reading too many books...

I take my own security always, and never follow anyone else's, how matter how many transparency reports they think they can assure users. That does not mean I won't store anything with them, but it does mean, i decide what goes where.

 

[3282869]

Again, at the bottom of the page, the Windows counts are aggregated. It is not a total of all the Windows exploits.

Right, but help me understand better. Here is the direct quote from the author in response to many comments regarding OS X having a single entry:

The response to my post on the top vulnerabilities in 2014 has been amazing and I would like thank everyone who commented on the article. What certainly stood out in the comments and feedback is the fact that some of the statistics I reported on were not clear enough. Many comments queried why vulnerabilities were grouped in the way I did and why there’s a single entry for Apple OS X and Linux but seven entries for each Windows version.

In the following update, I’m going to try and clarify and answer most of our readers’ queries.

The operating systems are different and it is hard to group them in a way that everybody agrees with. For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version. This is why Linux vulnerabilities are grouped under Linux Kernel as a separate product and then there are the specific vulnerabilities for each Linux distribution. The reason why only Linux Kernel and Apple OS X are listed at the top is because the number of vulnerabilities that specifically apply to other Linux distributions (like Red Hat, Debian, etc.) is lower than the number of vulnerabilities that apply to the operating systems already listed.

If I understand correctly, Open Source has certified OS X as a UNIX system, Linux is merely an open source distro. The author claims, "The reason why only Linux Kernel and Apple OS X are listed at the top is because the number of vulnerabilities that specifically apply to other Linux distributions (like Red Hat, Debian, etc.) is lower than the number of vulnerabilities that apply to the operating systems already listed." Essentially, the author is stating Linux has less vulnerabilities than OS X's UNIX system (likely due to OS X's market share/use), but both are kernel dependent and can be updated easily without tweaking the entire OS. I would view that as a "pro".

Lastly, the author's reasoning still doesn't excuse what appears to be bad statistical analysis. Yes, OS X is based off a [mach] kernel which can be updated, however this does not necessarily mean that all OS X systems are the same; each variant has suffered from various exploits at some point that were addressed. Same point to Windows systems.

To be fair, if you're lumping OS X into one category then do the same for Windows. Results would be as follows:

• Windows - 248
• OS X - 147
• Linux - 119

That would be a fair comparison.

 

[scaredpoet]

I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

What kinda sucks is that people keep parroting this stat and don't realize the data behind it is flawed.

The article makes this claim based on the number of updates pushed out. All we can actually conclude is that OS X and iOS were "most patched" last year. That alone doesn't make it "least secure." Actually.. you could argue the opposite: "most patched" could mean these OSes are more secure, after the fact....

...except the data is still inherently flawed, for three reasons:

1. The data assumes that unfound flaws don't exist. There could be way more flaws for Windows... they just haven't been found yet. There could also be way more unfound flaws for OS X, as we're discovering now.

2. Windows flaws have been broken out by version. OS X and iOS didn't get the same treatment: all versions were lumped into one, making the number for OS X artificially bigger.

3. Many of the flaws listed for Linux are also counted in OS X, because they use many of the same software underpinnings.


So no, you can't say that OS X, or any OS for that matter, is "least secure."

 

[chrfr]

To be fair, if you're lumping OS X into one category then do the same for Windows.

We can't tell from this (very flawed) article whether the exploits patched for OS X are unique or duplicated across OS X versions.

 

[3282869]

We can't tell from this (very flawed) article whether the exploits patched for OS X are unique or duplicated across OS X versions.

That's the conclusion I came to as well, I wanted to make certain I was following the "logic" as it didn't make sense. Thanks!

 

[Sasparilla]

At least back to 10.7.

Snow Leopard (10.6.x) is vulnerable as well...looking at the comment section (Felipe Rodriguez) of the blog by the guy who discovered the rootpipe bug and worked with Apple on it - they verified it was exploitable in 10.6 as well:

https://truesecdev.wordpress.com/20...ileges-in-apple-os-x/comment-page-1/#comments

Interesting (bit disheartening), it was 6 months from being given the details of the exploit to release of a broken fix for rootpipe in v10.10.3.

 

[NoahK17]

Just exactly how big of an issue is this really? Should I delete "Movies" by Flixter from devices, for instance?

Only if you care about your Movies by Flixster password getting picked up. I assume you use a different password for every app/website through some sort of Master Password system like "LastPass" or "1Password"?

 

[kazmac]

Rootpipe is a local escalation of privileges exploit. If you have "guest user" disabled, and you're the only one with login credentials on your Mac, you're okay.

The bad news is - the guest user account login is enabled by default. TURN IT OFF.

Thanks... pretty sure it's off since I've got FileVault on but this is very helpful.

 

[Tech198]

Ouch...

my banking app "Westpac Banking Corporation"is one of them using version 2.5.0 or older....

Why is it always the "most secure banks" or they keep telling us they are, but are in fact the "less secure" ?

coupled with insecure method of entering password,limiting to only 8 characters, no punctuation, and using on-screen keyboard on website.

This is hardly good business practice for something that's supposed to be "the best security" as promised by the banks.

 

[Keirasplace]

At the bottom of that link you see the aggregate counts for Windows. Most of the vulnerabilities listed are duplicated in each version of Windows so the total number is not the sum of each Windows version's vulnerabilities.

The fact there are 250+ security patches a year for 8.0, 8.1 is not a security problem at all.... Severity of the bugs (and how many people are affected) also is to be disregarded entirely off course (sic).

Windows is less of a mess than it once was, it is still a hole security mess. I used 8.1 as my main computer so I should know.

Pretty hard to get security bugs in Windows 8.1 apps when nobody makes app in the first place ;-).

----------

Snow Leopard (10.6.x) is vulnerable as well...looking at the comment section (Felipe Rodriguez) of the blog by the guy who discovered the rootpipe bug and worked with Apple on it - they verified it was exploitable in 10.6 as well:

https://truesecdev.wordpress.com/20...ileges-in-apple-os-x/comment-page-1/#comments

Interesting (bit disheartening), it was 6 months from being given the details of the exploit to release of a broken fix for rootpipe in v10.10.3.

Well, good security practices makes the bug moot, so there is a fix, in a way.

 

[kd5jos]

What?

I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

According to? Since you don't cite a source, how about this one:

http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

So we are looking at all the vulnerabilities for for all versions of OS X in a given year, and comparing those to the vulnerabilities in each version of Windows separately? And this is honest? The total vulnerabilities for Windows (desktop and server, like OS X) last year is 218 v.s. OS X 147. I know you are going to say, "what about vulnerabilities that are the same in each version of Windows?" Okay, to that I say, "What about the vulnerabilities that are the same in each version of OS X?"

See, we can MAKE the numbers say ANYTHING we want them to if we screw around with them enough.

 

[Four oF NINE]

Only if you care about your Movies by Flixster password getting picked up. I assume you use a different password for every app/website through some sort of Master Password system like "LastPass" or "1Password"?

1Password is awesome.