Login  |  Register  |  Contact

Apple Bug Bad. Patch Now. Here Are Good Writeups

Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points:

  • Apple normally doesn’t issue single-bug out-of-cycle security patches for non-public vulnerabilities. They especially don’t release a patch when the same vulnerability may be present on OS X but there isn’t an OS X patch yet. I hate speculating, especially where Apple is concerned, but Apple has some reason for handling this bug this way. Active exploitation is one possibility, and expectations of a public full disclosure is another.
  • The bug makes SSL worthless if an attacker is on the same network as you.
  • OS X appears vulnerable (10.9 for sure). There is no public patch yet. This will very likely be remediated very quickly.
  • A lot of bad things can be done with this, but it isn’t a remotely exploitable malware kind of bug (yes, you might be able to use it locally to mess with updates – researchers will probably check that before the weekend is out). It is bad for Man in the Middle (MitM) attacks, but it isn’t like someone can push a button and get malware on all our iOS devices.
  • It will be interesting to see whether news outlets understand this.

The best security pro article is over at ThreatPost.

The best technical post is at ImperialViolet. They also have a test page.

If you are in an enterprise, either push the update with MDM as soon as possible, or email employees with instructions to update all their devices.

—Rich

No Related Posts
Previous entry: Firestarter Happy Hour- RSA 2014 (With an Audio Download Option) | | Next entry: Research Revisited: The 3 Dirty Little Secrets of Disclosure No One Wants to Talk About

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By fatbloke  on  02/22  at  12:15 PM

The write up on Imperial Violet is effectively full disclosure. There was already enough discussion on Hackernews earlier for people to work it out for themselves.

In the post-Snowden era, the speculation now will be whether this bug was introduced ‘on purpose’ or not and moreover, where has it successfully been used in the interim if it’s possible to tell…

By fatbloke  on  02/22  at  12:16 PM

The write up on Imperial Violet is effectively full disclosure. There was already enough discussion on Hackernews earlier for people to work it out for themselves.

In the post-Snowden era, the speculation now will be whether this bug was introduced ‘on purpose’ or not and moreover, where has it successfully been used in the interim if it’s possible to tell…

By Scott  on  02/22  at  04:18 PM

“The bug makes SSL worthless if an attacker is on the same network as you.”

That’s not my understanding.  The attacker must be in a privileged position in the chain between you and the service you’re trying to reach.  In other words: Not the guy in the chair next to you at the coffee shop, but the guy who controls its router, or one at its ISP.  http://unvexed.blogspot.com/2014/02/how-to-work-around-latest-man-in-middle.html has more, and a protective workaround.

By Scott  on  02/22  at  04:22 PM

“The bug makes SSL worthless if an attacker is on the same network as you.”

That’s not my understanding.  The attacker must be in a privileged position in the chain between you and the service you’re trying to reach.  In other words: Not the guy in the chair next to you at the coffee shop, but the guy who controls its router, or one at its ISP.  http://unvexed.blogspot.com/2014/02/how-to-work-around-latest-man-in-middle.html has more, and a protective workaround.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?