Wednesday, May 20, 2015

Apple's First Watch OS Security Update: v1.0.1


Apple has released the first security update for the Watch via Watch OS 1.0.1 You can read the security content document here:

About the security content of Watch OS 1.0.1

Included in the update are eight Watch OS Kernel patches, some of which are critical. There are also another couple patches that protect Kernel data. Also patched was the good old FREAK/Logjam security hole caused by the potential use of decrepit RSA encryption algorithms in HTTPS Internet communication.

For fun, here is the document for CVE-2015-1067, 'FREAK':

The document provides links to all of Apple's previous FREAK patches.

If you're interested in why FREAK/Logjam remains a worldwide problem, as well as its more recent implications, Dan Goodin at Ars Technica wrote a relevant article last week:

HTTPS-crippling attack threatens tens of thousands of Web and mail servers
Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.
The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.
"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."
IOW: Politics as a security hole. :-P


No comments:

Post a Comment