Slashdot Mirror

← Back to Stories (view on slashdot.org)

iTunes Flaw Allowed Spying On Dissidents

Posted by Soulskill on from the but-only-from-a-macbook dept.

Hugh Pickens writes writes "Democracy and free speech activists worldwide have something new to worry about — cyberwarfare via iTunes. The Telegraph reports that Gamma International sells computer hacking services to governments, offering 'zero day' security flaws that allow access to target computers 'with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.' FinFisher spyware, known to be used by British agencies and offered to Egypt's feared secret police, takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. It redirects users' web browsers to a customized web page that pretends Flash is not installed on the user's computer, then installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services. The latest iTunes software update, 10.5.1, released on November 14, appears to have fixed the exploit FinFisher used. A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet Apple 'waited more than 1,200 days to fix the flaw,' writes security researcher Brian Krebs."

2 of 82 comments (clear)

  1. OpenOffice has the same vulnerability by WD · · Score: 5, Informative

    And they haven't done anything about it for years, either.
    http://blogs.oracle.com/malte/entry/evilgrade_and_openoffice_org

  2. Re:Seriously? by chrb · · Score: 3, Informative

    There's a vulnerability in iTunes but it's not that vulnerability that installs the malware.

    Yes it is. From TFA:

    "Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability: "The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple"

    The only way you can argue that the updater isn't at fault is if you are going to blame the exploit that installs the malware? But by that definition, a manufacturer would never be assigned any blame for vulnerabilities, it would always be the person doing the exploiting. Does that make sense? Try this: "Microsoft bears no responsibility for any holes in Windows, even when it knows about them and doesn't fix them. The blame lies entirely with the exploit." Do you still agree with this logic when the manufacturer of the system is Microsoft, rather than Apple?

    If I post the link to that particular website right here on Slashdot, by your logic that would mean Slashdot is now infested with spyware too.

    Bad analogy. Slashdot isn't used as part of a Software Update system by software installed on the desktops of millions of people. Your iTunes updater isn't going to prompt you to install a new update - verified as being from Apple - because of a Slashdot post.