Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

from the we're-too-cool-for-details dept

Apple on Friday issued an update that fixed a rather severe vulnerability in their SSL/TLS implementation in iOS. In short, the flaw allowed any hacker the ability to intercept data during supposedly secure and encrypted transfers when using an iPhone, iPad or iPod Touch on a public network. Estimates suggest that the vulnerability was introduced in iOS 6.0 back in September 2012 (Apple was added as a PRISM partner in October 2012, utterly circumstantial but just sayin'). After some reverse engineering of the patch, people discovered it overhauled some fairly major portions of iOS.

The bigger problem is they discovered during that analysis it also impacts Apple laptops and desktops running Apple’s OS X (there's a few of those out there). The original bug existed for some time before being detected, and at the moment there's not only no fix in place for laptop and desktop users, but Apple hasn't issued any statements warning customers that everything they do at the coffee shop is potentially exposed.

Apple's only public comment was apparently to tell Reuters on Saturday that a fix was coming "very soon." There's a website that allows you to check whether the flaw has been fixed yet. Unsurprisingly, Apple is taking a lot of heat on numerous fronts for not doing more (read: anything) to help potentially impacted users:
"Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?"
Perhaps silence is sexier? iPhone and iPad users should obviously update their systems ASAP, and OS X users can supposedly protect themselves by using Chrome or Firefox and disabling background services (like Mail.app or iCloud) when wandering about on coffee shop Wi-Fi. Regardless, surely the NSA, other intelligence organizations, hackers and other n'er do wells looking to nab personal data greatly appreciate Apple's dead silence on the issue.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, ios, os x, vulnerability
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Feb 2014 @ 4:33pm

    What did Apple know?

    And when did they know it?

    (The old questions are often the best. Those are now 40 years old and yet they still often point the way to the truth.)

    link to this | view in chronology ]

  • identicon
    Anonymous, 24 Feb 2014 @ 4:35pm

    It's not a flaw. It's a feature.

    link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 24 Feb 2014 @ 4:39pm

    Typical Apple behavior

    This is nothing new. Apple's default response to security issues has always been to make like an ostrich and try to keep everything as quiet as possible.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Feb 2014 @ 4:45pm

    Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

    Totally the right way to go

    https://www.youtube.com/watch?v=U74Q9aZ4-p8

    I love dead silence!

    link to this | view in chronology ]

  • icon
    JWW (profile), 24 Feb 2014 @ 4:49pm

    Any hacker?

    My goodness. The breathlessness of the description of this vulnerability.

    Any hacker is not the case here. To execute this attack you have to intercept traffic to a website, and spoof its CA certificate (although without correct key information - as that was what wasn't being checked).

    Thats not to say that an attack couldn't be carried out by coordinated hackers who had prepared and targeted a public network being used to access a https secured site.

    But attacking this vulnerability would not be trivial. Also, once an SSL session is setup with a legit sight, even with this bug, that session would be secure and free from eavesdropping.

    The attack for this has to occur at SSL session configuration and handshake time. It is much harder to pull off than it is being claimed to be.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Feb 2014 @ 4:59pm

      Re: Any hacker?

      It actually would probably be pretty trivial to have a proxy that exploits this. You watch for requests to port 443, and when you get one you create your own separate connection to where ever they're going, except you act as the web server. Everything gets passed back and forth like normal, except that when you get the data from the real web server or the client, you can decrypt it, then re-encrypt and send it to the client or webserver. Log everything, and then scrape the logs for usernames and password.

      But you need to have control over the target's network, which is where the difficulty is.

      link to this | view in chronology ]

    • icon
      Michael Donnelly (profile), 24 Feb 2014 @ 5:52pm

      Re: Any hacker?

      Any hacker? Actually, it's a lot more exploitable than you think. Here's what I'd do if I was actually a bad guy:

      Step 1: Have evil app on your lappie forge responses to DNS queries. Everything goes through you. Super easy.

      Step 2: Run a simple socket-level proxy on port 80 and 443. Watch traffic on any given device over port 80 until you see a user-agent go by (or just guess off the MAC address). Once you identify an Apple device, forge all SSL connections with a bogus cert. Log all headers and POST data. Maybe HTML returned from remote servers, too.

      Sit in Starbucks or Paradise Bakery for a couple hours. Go home, analyze logs, mayhem ensues.

      I could easily code this myself. The actual bad guys could certainly do it as well.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Feb 2014 @ 7:11pm

      Re: Any hacker?

      "Any hacker is not the case here."

      OK, I'll bite. Just exactly which hackers couldn't exploit this?

      link to this | view in chronology ]

    • icon
      Ninja (profile), 25 Feb 2014 @ 1:57am

      Re: Any hacker?

      If you exclude mobile systems I suspect Apple hasn't much to offer potential hackers...

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2014 @ 4:53am

      Re: Any hacker?

      Ever heard of phishing?

      This exploit could make fishing sites appear legit.

      link to this | view in chronology ]

  • icon
    TheloniousMac (profile), 24 Feb 2014 @ 4:54pm

    "Silence"

    This is not the serious end of the world situation people are making it out to be. If you're actually worried that there is a hacker in the bushes behind your Starbucks specifically waiting for you,

    A) Don't Go
    B) Use VPN when you get there (set it for all traffic)
    C) Don't use Safari
    D) Tether to your mobile device and connect that way.

    Personally if it happens to be that big a deal for you, I'd go with A.

    You have nothing to fear on your home network. You have nothing to fear on your work network, and seriously, if that is that big a problem for you, you shouldn't be on unprotected public networks to begin with!!!!

    The chances of this thing actually harming you are far less than the typical FLASH Trojan.

    The people bitching about this are just trying to get their names in the news. The amount of alarmist and panic, as usual, do a disservice rather than taking the opportunity to inform people.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Feb 2014 @ 5:03pm

    Apple products never become obsolete, they simply go out of style.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Feb 2014 @ 5:18pm

    Maybe they "can't" talk about it - know what I mean? *wink wink* *nudge nudge*.

    link to this | view in chronology ]

  • icon
    Wally (profile), 24 Feb 2014 @ 6:59pm

    iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Feb 2014 @ 7:38pm

      Re:

      So, the 3GS I upgraded to ios 6 ... is doomed.

      I figured it was anyway, the ios6 upgrade basically turned the phone into a worthless pos - it's slower, it crashes, and now clearly it's insecure.

      Thanks Apple.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Feb 2014 @ 7:43pm

        Re: Re:

        Ah, well, it does look like they've release 6.1.6 - so hopefully it will be secure "again"... but it was still a terrible upgrade for this phone.

        link to this | view in chronology ]

  • icon
    Wally (profile), 24 Feb 2014 @ 6:59pm

    iOS 7.0.6 fixed vulnerabilities and the next version of OSX will have the same fixes...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Feb 2014 @ 9:54pm

    Safe As Ever

    Don't go out naked in public, don't use public wifi (cell phones, even iOS devices have DATA services), use a secured open-source browser without JAVA and wipe twice after you poop. Problem solved.

    My experience has been excellent with Apple so far. No infections or viruses detected or known since the Mac Plus. And when a problem was discovered (Saturday) my iOs devices all let me know I should upgrade, which I did. My experience has not been so positive with Windows. I have lost count of the number of workstations I have had to wipe clean and reinstall due to malware and virii over the past 10 years. I'll never get those hours back. And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.

    Apple 1 Windows 0

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Feb 2014 @ 10:53pm

      Re: Safe As Ever

      "And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission."

      This is the most stupid thing I've read so far this year.

      link to this | view in chronology ]

    • icon
      Rikuo (profile), 25 Feb 2014 @ 12:34am

      Re: Safe As Ever

      I second the AC up above, in that this is a stupid sentence
      "And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission."
      Whether or not he overcharged or the quality of Windows, you still willingly gave Microsoft your money, at which point, whenever Gates's salary goes through at his bank, it becomes his money. He doesn't need your permission to do whatever the fuck he wants with his money.

      link to this | view in chronology ]

    • icon
      letherial (profile), 25 Feb 2014 @ 3:22am

      Re: Safe As Ever

      If your ego must insists that your so special that he is giving away your money you gave to him, then you could make yourself feel better and that small amount of money you gave to him fed and clothed one of his children, it was the other saps money that he gave away.

      You could also save yourself some time writing such pointless posts and never buy another Microsoft product, or any product for that matter, that you feel is over priced again...wow, problem solved! wasnt that simple. Even though you have a big ego, it doesn't have much in the way of brains.

      You are a perfect example of a applefan, thank you for reinforcing the egoistical ignorant stereotype that is a mac user..fucking hilarious

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Feb 2014 @ 7:26am

        Re: Re: Safe As Ever

        Admittedly at fan, but only because Apple earned it. I also know that no system is fully secure. But some systems are more secure than others. And that is a fact.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Feb 2014 @ 11:08am

          Re: Re: Re: Safe As Ever

          Right, which is why anyone who knows anything about security does not use Apple.
          They provide no vulnerability database
          They provide no timely fixes

          Jacob Appelbaum sez ".. or perhaps it's because they [Apple] write shitty software, we know that's true!"

          link to this | view in chronology ]

        • icon
          John Fenderson (profile), 25 Feb 2014 @ 12:36pm

          Re: Re: Re: Safe As Ever

          "But some systems are more secure than others. And that is a fact."

          That is true, but Apple is not inherently more secure than the other common consumer OSes. Including Windows.

          link to this | view in chronology ]

  • icon
    Avilion (profile), 24 Feb 2014 @ 10:34pm

    The reason Apple is remaining so quiet is that this was an Alphabet Agency backdoor and they (inlc. Apple) are scrambling to figure out what to do.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 24 Feb 2014 @ 10:56pm

      Re:

      Exec 1: Okay people, we've got a bit of a situation here. A huge vulnerability in our OS has been made known, and the public is demanding answers.

      Now, normally, this wouldn't be a big deal, just patch it and we'd be good, but it's come to our attention, strictly through 'unofficial' channels mind, that the NSA and a few other agencies have been using this exploit to gather intel and/or pass the time spying on people, and they'd probably be less than thrilled to have their backdoor access closed off like that.

      However, if we don't patch it, we run the risk of angering people and potentially losing customers. Ideas?

      Exec 2: Losing customers?

      Exec 1: Yes, that's what I said.

      Exec 2: Apple customers?

      Exec 1: Yes. Look, I really don't see what you're... oh, right, good point.

      Exec 2: Yeah, we're talking about people willing to shell out a couple hundred bucks on practically a yearly basis, just because we slapped a slightly higher number on our 'new and improved' iWhatever, and they absolutely must have the newest model, a 'piddly' security flaw like this will be nothing to them, and certainly not enough to keep them from buying our stuff.

      link to this | view in chronology ]

  • icon
    mdpopescu (profile), 25 Feb 2014 @ 2:58am

    But but but...

    Windows has viruses! Apple doesn't! So there!

    link to this | view in chronology ]

  • icon
    Searchub (profile), 25 Feb 2014 @ 3:57am

    dead silence may solve the problem!

    link to this | view in chronology ]

  • icon
    weneedhelp (profile), 25 Feb 2014 @ 8:23am

    But but but

    MAC's dont have exploits and viruses. /s

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2014 @ 10:52am

    uh... maybe because a fix to something this serious needs to be QAed more than five minutes? maybe the flaw was bigger than reported, and took more effort than just turning back an update?

    maybe it is here, now:
    http://gizmodo.com/the-fix-for-apples-scary-os-x-security-flaw-is-here-1529636089

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2014 @ 11:04am

    Just as a side note, patch for Goto is out with 10.9.2 now:
    Software Update Tool
    Copyright 2002-2012 Apple Inc.

    Finding available software
    Software Update found the following new or updated software:
    * OSXUpd10.9.2-10.9.2
    OS X Update (10.9.2), 449548K [recommended] [restart]

    http://www.tuaw.com/2014/02/25/os-x-update-10-9-2-now-available/

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Mar 2014 @ 12:03pm

    Apple is a real innovator sometimes; they are also notoriously slow when it comes to patching of their flaws! Let’s face it all OS’s have flaws; I mean it is well documented in the NVD. Even embedded processing OS’s like VXworks, have issues.

    However, read the report timeline on (CVE-2013-0984) Directory Service buffer overflow flaw and you will see a prime example of how Apple “handles” the security flaws in their products from both an “urgency” and “responsibility” perspective. Oh you say that was an old release? 2009 is old? Apple loves you folks, always willing to part with (much) more cash to get the latest Apple “thing”. Wait Apple has canned support for that OS right?? Why yes they did, you just didn’t hear about it until it was a done deal…again typical Apple!! But wait Apple has given you access to their new and improved OS X 10.9.2 (Mavericks) for FREE…and it fixes the ‘gotofail’ bug we are talking about!!! Yeah for Apple!! Wait…hold the press… there have already been CVE’s (yes plural) reported for it…DANG it now what?!? Hey I know, let’s all just take an Apple approach to problems and just pretend they don’t exist until there is no longer any way to hide them. That will work, I mean I’m sure Apple keeps quiet about this stuff so the bad guys don’t find out…Oh you mean the bad guys have the same access to the PUBLIC database of security flaws that sometimes include proof of concept code, or at least a technical description of the attack?!?

    But in all seriousness IF you hold a job (Security related) that includes infrastructure decisions and you recommend anything Apple, then I must say you should look for another job; because let’s face it you’re not any good at the job you have.

    Nuf said

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Mar 2014 @ 9:20am

    Gotta love GNU/Linux.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.