iPhone 5c

Apple

Security


Apple fixed a major security flaw in its mobile operating system on Friday, but appears to have momentarily left its desktop software open to attack, according to security experts.

Researchers at CrowdStrike reverse engineered Apple’s “emergency SSL security update for iOS (7.0.6)” to analyze what has become known as the “Gotofail” bug. They found that an attacker could exploit the earlier hole to bypass the standard “SSL/TLS” security verification protocols, which enable encrypted communications online, adding:

“This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider, and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”

But Apple’s patch only covered its mobile operating system, iOS, while its standard OS X operating system is also vulnerable, according to CrowdStrike. Various researchers and reporters have found that Apple’s Safari browser and Mail application could be susceptible. It doesn’t appear that the Firefox or Chrome browsers are.

Apple said another patch is on the way.

“We are aware of this issue and already have a software fix that will be released very soon,” Apple spokeswoman Trudy Muller said.

Still, respected security researchers were shocked by Apple’s practices in this instance.

Google’s Adam Langley wrote on his blog: “Yesterday, Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. … This sort of subtle bug deep in the code is a nightmare. I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”

But others perceived more sinister possibilities.

Close Apple watcher John Gruber raised the question of whether or not the National Security Agency might have inserted the bug as a backdoor — or noticed and exploited it. He noted that the vulnerability found its way into the mobile operating system around the same time the NSA claimed the ability to access information from Apple through the PRISM program, according to the slides leaked by former security contractor Edward Snowden.

Added Gruber:

I see five levels of paranoia:

1. Nothing. The NSA was not aware of this vulnerability.
2. The NSA knew about it, but never exploited it.
3. The NSA knew about it, and exploited it.
4. NSA itself planted it surreptitiously.
4. Apple, complicit with the NSA, added it.

Me, I’ll go as far as #3. In fact, I think that’s actually the optimistic scenario — because we know from the PRISM slides that the NSA claims some ability to do what this vulnerability would allow. So if this bug, now closed, is not what the NSA was exploiting, it means there might exist some other vulnerability that remains open.

For now, here’s what CrowdStrike recommends for Apple customers:

Update your Apple devices and systems as soon as possible to the latest available versions. Do not use untrusted networks (especially WiFi) while traveling, until you can update the devices from a trusted network. On unpatched mobile and laptop devices, set “Ask to Join Networks” setting to OFF, which will prevent them from showing prompts to connect to untrusted networks.

Re/code’s John Paczkowski contributed to this post.



5 comments
Y. Huang
Y. Huang

For access unknown/untrusted Wi-Fi, how about using VPN service to overcome the security issue? I think that can protect your network traffic even in that worst situation.

bobsulli
bobsulli

The title "Apple Patches One Security Hole, Leaves Open Another" implies Apple does not plan to patch the OS/X security hole, but the article says otherwise. We don't need sensationzlied headlines, Re/Code!

wonderYrednow
wonderYrednow

It's all good, keep your NSA close but keep your Apple closer.

DrSue
DrSue

Apple was one of the companies that cooperated with the NSA to allow this mob of spies to access the personal and business information of their customers.  Why would anyone expect Apple to take the security of their over paying customers seriously now?

khha4113
khha4113

@freediverxThat's uncalled for.  This is a serious threat, and he just reported it.  If this happened with Windows, Microsoft would have been brutally criticized.  Some people are just hypocrite!

"Apple is by far the one who cares most about its users' security and privacy"

Haha!  It makes me laugh!

Follow

Get every new post delivered to your Inbox.

Join 301,160 other followers