Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Dangerous SSL Authentication Flaw In iOS

Posted by timothy on from the are-you-telling-us-the-whole-story? dept.

wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."

11 of 101 comments (clear)

  1. And thus is it delivered to all supported devices by Rosyna · · Score: 4, Informative

    The update is available to all supported devices (From the iPhone 3GS running 6.1.x and up).

  2. How about OS X? by rvw · · Score: 4, Insightful

    I heard OSX has the same problem.

    @Apple: Admit that it exists (plus give advice how to prevent problems) or let us know that OSX is safe.

    1. Re:How about OS X? by berj · · Score: 5, Informative

      Yes. 10.9.1 has this problem (not sure about earlier versions). 10.9.2, which is in beta, patches the problem. Should be released soon.

  3. Re:And thus is it delivered to all supported devic by berj · · Score: 3, Informative

    They also released 6.1.6 which patches this bug.

  4. Details of bug by DrDevil · · Score: 5, Informative

    The bug is that the cn hostname from the certificate is not verified. So it's possible to use your own website SSL cert as a cert for any other site and Apple devices will accept it no question. Of course, to exploit, you'd need to modify a tool like webmitm to serve a fixed certificate.

    Very very dangerous, seems to be a result of switching away from OpenSSL although details are still flaky.

    1. Re:Details of bug by am+2k · · Score: 3, Insightful

      Apple never "switched away" from openssl, they shipped their own implementation with the very first version of Mac OS X. They only packaged openssl with the system for other apps to use. I actually rewrote the XMPP encryption stuff in Adium to use the security framework instead of openssl way back in 2007, since that allowed me to use the built-in system dialogs for presenting certificates.

  5. goto fail by tero · · Score: 5, Informative

    in
    http://opensource.apple.com/so...

      if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
                    goto fail;
                    goto fail;

    1. Re:goto fail by tero · · Score: 4, Informative

      Yeah, you'd think a compiler should have caught that.. but neither GCC or Xcode seems to do that..

      Adam Langley has a great blog post dissecting this:
      https://www.imperialviolet.org...

    2. Re: goto fail by ugen · · Score: 3, Insightful

      Dumb. We are in for more than that. It took a decade to get OpenSSL clean with many more eyes on it.

  6. Re:warning about unreachable code by eddy · · Score: 4, Informative
    Sorry, it's not there. It's silently ignored, which is the WORST POSSIBLE SOLUTION to the problem. Ugh.

    The -Wunreachable-code has been removed, because it was unstable: it relied on the optimizer, and so different versions of gcc would warn about different code. The compiler still accepts and ignores the command line option so that existing Makefiles are not broken. In some future release the option will be removed entirely.

    http://gcc.gnu.org/ml/gcc-help...

    --
    Belief is the currency of delusion.
  7. Re:And thus is it delivered to all supported devic by Anonymous+Brave+Guy · · Score: 3, Funny

    Unfortunately, Apple seem to have abandoned iOS 5 support already.

    iOS 6 isn't even 18 months old yet and was their Windows Vista, so a lot of people didn't upgrade. iOS 7 isn't even 6 months old, had security problems of its own at launch, and runs like a limping dog on some very popular devices still in widespread use, so a lot of people didn't upgrade to that either.

    The vulnerability here was caused by a rookie error that could easily have been found and fixed by following any one of several best practices in their software development process, and for something security-related they should have been following all of them.

    This is a very poor show from Apple on all counts. :-(

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.