GMAIL Apple's OS SSL Certificate Verification Bypass Flaw | Security Learner's Blog

Saturday, 19 April 2014

Apple's OS SSL Certificate Verification Bypass Flaw

--

[Addendum and additional information added 2014-02-25 ~11:00 AM]

At the moment, there is a lot of swirling information about a security vulnerability in Apple software that allows hackers to surveil users on the Internet, among other things. It is a form of 'Man In The Middle' hack. It involves bypassing SSL certificate verification, allowing hackers to fake an SSL connection between the user, themselves, and the user's intended Internet connection. There is a lot of misinformation and outright nonsense out on the Internet, making this a very muddy topic. I'm waiting for a shoe or two to drop regarding this situation before commenting about it further.

Therefore, I'll be writing up a Part II regarding the problem as the mud settles.


In the meantime, Apple has provided three fixes so far for this problem. Each of the updates in the list are linked to their Apple security notes:


1) iOS 7.0.6 Update.


2) iOS 6.1.6 Update.


3) Apple TV 6.0.2 Update.


Common to all three updates is the following:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.


CVE-ID


CVE-2014-1266 
To reiterate, that's three updates. For reasons I cannot comprehend, only one or two of these updates are being reported in the news, which is part of the reason I don't trust many reports regarding this situation. I have an extremely low opinion of technology journalism these days. Quite a lot of it is outright abysmal.

There are a couple purported tests available for OS X Safari to verify whether it also has this SSL security flaw. The ImperialViolet website, linked below, provides one of them. From reports, as well as my personal experience, Safari 6.x does NOT have the SSL flaw. However, Safari 7 DOES have the SSL flaw. Note that Safari 7 is exclusive to OS X 10.9 Mavericks. Apple has acknowledged that the problem exists. There is a report that an Apple internally distributed beta of the fix is being tested. I'm expecting a public beta this week, if not the entire fix. We shall see.


* [New information: The flaw is in OS X 10.9 itself, not any particular application. Any applications that access Apple's system level Security.Framework are potentially all affected. For more information, see the Addendum below.]

There has already been some chatter about this SSL flaw being a method of NSA surveillance of Apple users. I currently believe that is not the case, specifically because the flaw is so recent. It is not found in versions of Safari on iOS, OS X, or the equivalent software on Apple TV that are more than a year old, to use a simple round number. Therefore, I've set my paranoia switch to 'simmer' regarding this hypothesis.


Two further things: 


- Please do NOT confuse this situation with the simple use ofunsecured Wi-Fi hotspots whereby anyone's granny can sniff your Internet connection via Wireshark, or other hacker tools. It is NOT the same thing. This SSL flaw requires a lot more sophistication and can take place even on secured Wi-Fi hotspot connections or other SSL connections, including at home.

- Using a 'reverse firewall', such as Little Snitch or Intego's Net Barrier, will catch any bogus port call outs from Safari that are common with this SSL flaw. Just remember to not approve them when they pop up. This can help prevent an SSL hacker from exploiting your machine.

When Apple's SSL fix for OS X is released, I'll be writing more about the subject.


Meanwhile:

Here are some reading links to assist in understanding the background of the problem:

https://en.wikipedia.org/wiki/Secure_Sockets_Layer


https://en.wikipedia.org/wiki/Ssl_certificate


https://www.imperialviolet.org/2014/02/22/applebug.html


http://www.macworld.com/article/2099987/what-you-need-to-know-about-apples-ssl-bug.html

…And… The Fix Is Out!

Apple has provided four security updates today, one of which is OS X 10.9.2 update. I'll skip Security Update 2014-001, Safari 6.1.2 update and Safari 7.0.3 update for the moment as they are not directly applicable to the SSL security flaw.

What have we here, among the several security updates in10.9.2?
Data Security

Available for:  OS X Mavericks 10.9 and 10.9.1

Impact:  An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description:  Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID
CVE-2014-1266
√ That's the fix for the SSL flaw, aka CVE-2014-1266.

I'm glad that's over!

Update ASAP please! I'm off to do it myself right now.

I'll chatter about the other security updates, as well as the other security fixes in 10.9.2, a bit later.


FIDA HUSSAIN

I am Fida Hussain,a computer student from Pakistan. Right from the day one I was introduced to computers,I had a passion for Hacking and Information security. So,I started this blog in 2012 to share my views and ideas with the world.

0 comments :

Post a Comment

 

Security Learner's Blog

Designed by Fida Hussain
This content is DMCA Protected.Copying or reproducing of procedure is prohibited.Do Not Copy!!