Monday, February 24, 2014

Apple's SSL Certificate Verification Bypass Flaw,
Part I

--

[Addendum and additional information added 2014-02-25 ~11:00 AM]

At the moment, there is a lot of swirling information about a security vulnerability in Apple software that allows hackers to surveil users on the Internet, among other things. It is a form of 'Man In The Middle' hack. It involves bypassing SSL certificate verification, allowing hackers to fake an SSL connection between the user, themselves, and the user's intended Internet connection. There is a lot of misinformation and outright nonsense out on the Internet, making this a very muddy topic. I'm waiting for a shoe or two to drop regarding this situation before commenting about it further.

Therefore, I'll be writing up a Part II regarding the problem as the mud settles.


In the meantime, Apple has provided three fixes so far for this problem. Each of the updates in the list are linked to their Apple security notes:


1) iOS 7.0.6 Update.


2) iOS 6.1.6 Update.


3) Apple TV 6.0.2 Update.


Common to all three updates is the following:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.


CVE-ID


CVE-2014-1266 
To reiterate, that's three updates. For reasons I cannot comprehend, only one or two of these updates are being reported in the news, which is part of the reason I don't trust many reports regarding this situation. I have an extremely low opinion of technology journalism these days. Quite a lot of it is outright abysmal.

There are a couple purported tests available for OS X Safari to verify whether it also has this SSL security flaw. The ImperialViolet website, linked below, provides one of them. From reports, as well as my personal experience, Safari 6.x does NOT have the SSL flaw. However, Safari 7 DOES have the SSL flaw. Note that Safari 7 is exclusive to OS X 10.9 Mavericks. Apple has acknowledged that the problem exists. There is a report that an Apple internally distributed beta of the fix is being tested. I'm expecting a public beta this week, if not the entire fix. We shall see.


* [New information: The flaw is in OS X 10.9 itself, not any particular application. Any applications that access Apple's system level Security.Framework are potentially all affected. For more information, see the Addendum below.]

There has already been some chatter about this SSL flaw being a method of NSA surveillance of Apple users. I currently believe that is not the case, specifically because the flaw is so recent. It is not found in versions of Safari on iOS, OS X, or the equivalent software on Apple TV that are more than a year old, to use a simple round number. Therefore, I've set my paranoia switch to 'simmer' regarding this hypothesis.


Two further things: 


- Please do NOT confuse this situation with the simple use of unsecured Wi-Fi hotspots whereby anyone's granny can sniff your Internet connection via Wireshark, or other hacker tools. It is NOT the same thing. This SSL flaw requires a lot more sophistication and can take place even on secured Wi-Fi hotspot connections or other SSL connections, including at home.

- Using a 'reverse firewall', such as Little Snitch or Intego's Net Barrier, will catch any bogus port call outs from Safari that are common with this SSL flaw. Just remember to not approve them when they pop up. This can help prevent an SSL hacker from exploiting your machine.

When Apple's SSL fix for OS X is released, I'll be writing more about the subject.


Meanwhile:

Here are some reading links to assist in understanding the background of the problem:

https://en.wikipedia.org/wiki/Secure_Sockets_Layer


https://en.wikipedia.org/wiki/Ssl_certificate


https://www.imperialviolet.org/2014/02/22/applebug.html


http://www.macworld.com/article/2099987/what-you-need-to-know-about-apples-ssl-bug.html



L8R!


:-Derek

--
ADDENDUM

Introduction

I have several net friends who are involved with Mac security, all of whom circle around the ClamXav project by Mark Allan. I want to thank Mark for starting our group. Today I have to particularly thank member Al Varnell for helping me out with details regarding the Apple SSL flaw. Al is an incredible behind-the-scenes asset to the Mac community.

What's New

Those who have read through the most recent rendition of MacWorld's article about the Apple SSL flaw have learned about some interesting new details. I'm simply going to list them here in the addendum to this article:

1) The Apple SSL Flaw is part of the operating systems themselves. Specific applications are affected because they access Apple's security framework. The flawed file with the problem is in unpatched recent versions of iOS 6, iOS 7, Apple TV OS and OS X 10.9. The first three OS versions have been patched. We're still waiting for the OS X 10.9 patch.

In OS X 10.9, here is the path for the specific problem file:

/System/Library/Frameworks/Security.framework/Versions/A/Security

The bad code is located in the Secure Transport section of the Security file.

2) Because the flaw affects this Apple framework, any application using the framework is potentially vulnerable. Security expert Ashkan Soltani determined that all of the following OS X 10.9 applications are potentially affected:

Safari
Calendar
FaceTime
Keynote
Mail
Twitter
iBooks
Software Update
ApplePushService

Apparently, Safari is affected because of its use of WebKit, which also uses this framework. Therefore, any OS X application using WebKit is also potentially affected by the flaw. Note that the flaw is NOT in WebKit itself, at least according to current information. Again, this is an Apple OS flaw only.

Here is a list of applications that use WebKit, all of which are potentially affected by the flaw:


Please do not go into panic mode regarding all of the affected applications. There have been only a few reports of the flaw being exploited in the wild. If you're worried, while we wait for the OS X 10.9 fix, simply use non-WebKit applications, such as Firefox and recent versions of Chromium or Opera. (iCab currently uses WebKit).
--

No comments:

Post a Comment