Slashdot Mirror

← Back to Stories (view on slashdot.org)

iTunes Flaw Allowed Spying On Dissidents

Posted by Soulskill on from the but-only-from-a-macbook dept.

Hugh Pickens writes writes "Democracy and free speech activists worldwide have something new to worry about — cyberwarfare via iTunes. The Telegraph reports that Gamma International sells computer hacking services to governments, offering 'zero day' security flaws that allow access to target computers 'with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.' FinFisher spyware, known to be used by British agencies and offered to Egypt's feared secret police, takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. It redirects users' web browsers to a customized web page that pretends Flash is not installed on the user's computer, then installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services. The latest iTunes software update, 10.5.1, released on November 14, appears to have fixed the exploit FinFisher used. A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet Apple 'waited more than 1,200 days to fix the flaw,' writes security researcher Brian Krebs."

20 of 82 comments (clear)

  1. Conspiracy! by ryanmcdonough · · Score: 5, Funny

    An amazing way to exploit software that is ubiquitous on many computers. Let's start the conspiracy now that Apple are told by governments not to fix a bug until they find a better 0Day to exploit.

    1. Re:Conspiracy! by Chrisq · · Score: 5, Funny

      An amazing way to exploit software that is ubiquitous on many computers. Let's start the conspiracy now that Apple are told by governments not to fix a bug until they find a better 0Day to exploit.

      You are obviously a government schill who has posed this as a "Lets start a conspiracy" to throw people of the fact that this is exactly what happened.

    2. Re:Conspiracy! by jellomizer · · Score: 2

      The biggest and most used names will get the most hacking and piracy.
      Being Open Source, Closes Source. Well designed or poorly designed.
      Most of the security problems that take a long time to fix are passed off as not that big of a deal. With an easy work around.
      You expect every software company to be trolling the hacking sites to see if there is a new exploit. It doesn't happen.
      Even when a hole if found the company cannot just fix it the next day. Because then they will get dinged for making a fix that didn't work and broke the system and people will be less likely to update their computer again.
      How many of you work for a company that will not push out patches for months because every patch needs to be tested. Because you have been screwed by a Microsoft patch in the past.
      So if the company patches to soon without without a full analysis and testing period they get yelled at. If they do a full analysis that can take months or years they get yelled yet.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Conspiracy! by Bill_the_Engineer · · Score: 2

      By copying the software and rebranding it as their own work without releasing the source code or acknowledging the original software.

      I assumed you meant pirate as in copyright infringement and not pirate as in arghhhh.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    4. Re:Conspiracy! by Yvan256 · · Score: 4, Funny

      In America
      You write haiku, in Russia
      The Haiku writes YOU

    5. Re:Conspiracy! by arth1 · · Score: 2

      How does one pirate open source software?

      Easily. Thousands of companies do it every day, the same way one pirates closed source software:
      By making and/or distributing copies in violation of the license.

      • Most by not honouring licenses with clauses saying that you have to distribute the source with the compiled software or otherwise make it easily available.
      • Some by erasing the original author's names, when the license calls for an attribution.
      • The worst are those who make modifications (including fixes) to software where the license says that the source to such modifications must become open source too. They take but are unwilling to give.

      In these cases, you are in violation of the license which is all that gave you a right to distribute the software. So you don't have that right because you broke the license terms, and doing so is piracy.

    6. Re:Conspiracy! by Tsingi · · Score: 2

      that's not piracy, that's just rebranding, as the poster you are replying to acknowledged.

      It's not just rebranding, redistributing modified apps without making the source available violates the GPL.
      It's OK to do it, but you have to make the sources available.

    7. Re:Conspiracy! by Bill_the_Engineer · · Score: 2

      that's not piracy, that's just rebranding, as the poster you are replying to acknowledged.

      Let's me type a little slower since you were so quick in the reply that you didn't seem to comprehend my message.

      Consider piracy to be copyright infringement which is the overwhelming view on Slashdot since we have the meme copyright infringement is not equal to theft here. Now consider what constitute copyright infringement of most open source software that is not in the public domain. If you copy the software and rebrand it without releasing the source code then you violated the GPL which amounts to copyright infringement. If you copy the software and rebrand it without acknowledging the original software then you violated most 4 part BSD licenses out there; Again this amounts to copyright infringement.

      This is why my answer to the original poster about "How does one pirate open source software?", I said "by copying the software and rebranding it without releasing the source code or acknowledging the original software" if you consider piracy to mean copyright infringement.

      I'll attribute your answer to ADHD.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  2. This is why.. by ryanmcdonough · · Score: 2

    You should always put all your music onto a £10 mp3 player and only listen to it on there!

  3. Re:Liability by betterunixthanunix · · Score: 4, Insightful

    There's really only one solution: hold software makers libel for security vulnerabilities

    ...and thus kill the free software movement.

    The real answer is that dissidents need to start being more paranoid and more technically literate. A system that is used for personal entertainment should be kept physically separated from a system that is used to communicate with fellow dissidents.

    --
    Palm trees and 8
  4. Proof by Yvan256 · · Score: 4, Funny

    Yet another proof that Flash is dangerous! /duck

  5. Seriously? by Anonymous Coward · · Score: 3, Funny

    Apple software that redirects you to a webpage where it requests to install Flash Player?

    That's like Toyota's website sending you to a page about the Honda Civic.

    The flaw may be with iTunes but the spying is done by trojan spyware that passes itself as Flash player. The title of this thing is obviously anti-Apple bashing at its finest.

    1. Re:Seriously? by GameboyRMH · · Score: 2

      The flaw may be with iTunes but the spying is done by trojan spyware that passes itself as Flash player. The title of this thing is obviously anti-Apple bashing at its finest.

      There you have it folks, if any malware exploits a vulnerability in Apple software it's not Apple's fault, it's the virus writer's fault. To say otherwise would be Apple-bashing.

      Now excuse me while I make the infallible decision to leave every door on my house swinging open while I'm not at home. If any hobos or thieves enter it is not my fault, I made no mistakes.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:Seriously? by Yvan256 · · Score: 2

      There's a vulnerability in iTunes but it's not that vulnerability that installs the malware. If I post the link to that particular website right here on Slashdot, by your logic that would mean Slashdot is now infested with spyware too.

    3. Re:Seriously? by chrb · · Score: 3, Informative

      There's a vulnerability in iTunes but it's not that vulnerability that installs the malware.

      Yes it is. From TFA:

      "Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability: "The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple"

      The only way you can argue that the updater isn't at fault is if you are going to blame the exploit that installs the malware? But by that definition, a manufacturer would never be assigned any blame for vulnerabilities, it would always be the person doing the exploiting. Does that make sense? Try this: "Microsoft bears no responsibility for any holes in Windows, even when it knows about them and doesn't fix them. The blame lies entirely with the exploit." Do you still agree with this logic when the manufacturer of the system is Microsoft, rather than Apple?

      If I post the link to that particular website right here on Slashdot, by your logic that would mean Slashdot is now infested with spyware too.

      Bad analogy. Slashdot isn't used as part of a Software Update system by software installed on the desktops of millions of people. Your iTunes updater isn't going to prompt you to install a new update - verified as being from Apple - because of a Slashdot post.

  6. OpenOffice has the same vulnerability by WD · · Score: 5, Informative

    And they haven't done anything about it for years, either.
    http://blogs.oracle.com/malte/entry/evilgrade_and_openoffice_org

  7. Re:That's funny... by CharlyFoxtrot · · Score: 5, Insightful

    I love how people here are focussing on iTunes and not the fact that British agencies are supplying the Egyptian secret police with software to nab dissidents. Seriously, WTF ?

    --
    If all else fails, immortality can always be assured by spectacular error.
  8. 1,200 days? by alexo · · Score: 4, Funny

    Apple 'waited more than 1,200 days to fix the flaw

    It's even worse than that
    The waited more than a HUNDRED MILLION seconds.

    I guess "more than three years" does not cut it anymore.

    1. Re:1,200 days? by Pope · · Score: 2

      Article was obviously written by a new parent.

      --
      It doesn't mean much now, it's built for the future.
  9. Black hats by bill_mcgonigle · · Score: 3, Insightful

    Gamma International sells computer hacking services to governments, offering 'zero day' security flaws

    These are the real blackhats - most 'hackers' don't sell their services to get people killed. Legalized blackhats, perhaps, but blackhats nonetheless.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)