First, Apple revealed a critical bug in its implementation of
encryption in iOS, requiring an emergency patch. Then researchers found
the same bug is also included in Apple’s desktop OSX operating system, a
gaping Web security hole that
leaves users of Safari at risk of having their traffic hijacked.
Now one researcher has found evidence that the bug extends beyond
Apple’s browser to other applications including Mail, Twitter, Facetime,
iMessage and even Apple’s software update mechanism.
On Sunday, privacy researcher Ashkan Soltani
posted a list of OSX applications on Twitter
that he says he’s determined use Apple’s “secure transport” framework,
the coding library that developers depend on to build programs that
securely communicate online using the common encryption protocols TLS
and SSL. The full list, which isn’t comprehensive given that Soltani
only analyzed the programs on his own PC, is shown below. (Soltani has
underlined the vulnerable application names in red.)
Privacy researcher Ashkan Soltani’s list of
OSX applications that use Apple’s vulnerable implementation of SSL and
TLS encryption. (Click to enlarge.)
Soltani, an independent researcher whose recent work has
included analyzing the surveillance documents leaked by NSA contractor
Edward Snowden on behalf of the Washington Post, warns that the security
of several applications on that list are severely compromised,
including Apple’s email program Mail, scheduling app Calendar and the
its official Twitter desktop client. The bug affects how Apple devices
authenticate their secure connection with servers, allowing an
eavedropper to fake that verification and hijack or corrupt traffic
using what’s known as a “man-in-the-middle” attack. ”All these apps
would be vulnerable to the same man-in-the-middle vulnerability outlined
on Friday,” Soltani says.
Some of the affected apps such as iMessage and Facetime have added
security that could reduce the effects of the security vulnerability,
though Soltani warns that for the iMessage instant messaging application
the initial login at Apple’s me.com website may be compromised, even if
the messages themselves remain encrypted, and that similar problems may
exist for Facetime. “There are going to be parts of the protocol like
the initial ‘handshake’ that rely on TLS, and those will be vulnerable
to man-in-the-middle attacks,” Soltani says.
Equally troubling is the notion that Apple’s Software Update
application is affected, which means that Apple’s mechanism for pushing
new code to OSX machines, including security updates, could be
compromised. Soltani notes that in addition to SSL and TLS, Software
Update also checks for Apple’s signature on any code that it asks users
to install. But he adds that the code-signing protection hasn’t stopped
malware from
spoofing those updates in the past to install spying tools on victims’ machines.
I’ve reached out to Apple for comment on Soltani’s findings, and I’ll update this post if I hear from the company.
Apple’s newly discovered security flaw, dubbed “gotofail” by the
security community due to a single improperly used “goto” command in
Apple’s code that triggered it, initially came to light Friday when
Apple issued a security update for iOS. Researchers at the security firm
Crowdstrike and Google quickly reverse engineered that patch to show
how it affected OSX as well, and initially recommended that users
stay away from untrusted networks and avoid Safari, which is more dependent on Apple’s implementation of SSL and TLS than other browsers such as Chrome or Firefox.
Soltani’s work, however, shows that the problem extends further,
leaving many users with few options for secure communications until
Apple issues a fix for its desktop software. The company promised in a
statement to Reuters
Saturday to make that fix available “very soon.” Given the widening
gaps in Apple’s security the flaw exposes, it can’t come soon enough.
Read article on Forbes Magazine:
Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More - Forbes
http://www.mobiquant.com
Website Mobiquant
Posts
