Apple promises fix 'very soon' for Macs with failed encryption

SAN FRANCISCO Sat Feb 22, 2014 5:33pm EST

A shattered large glass panel, part of Apple's cube store on Fifth Avenue, damaged from the results of the snowstorm on Tuesday is seen in New York, January 22, 2014. REUTERS/Shannon Stapleton

A shattered large glass panel, part of Apple's cube store on Fifth Avenue, damaged from the results of the snowstorm on Tuesday is seen in New York, January 22, 2014.

Credit: Reuters/Shannon Stapleton

SAN FRANCISCO (Reuters) - Apple Inc said on Saturday it would issue a software update "very soon" to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.

Confirming researchers' findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: "We are aware of this issue and already have a software fix that will be released very soon."

Apple released a fix Friday afternoon for the mobile devices running iOS, and most will update automatically. Once that fix came out, experts dissected it and saw the same fundamental issue in the operating system for Apple's mainstream computers.

That started a race, as intelligence agencies and criminals will try to write programs that take advantage of the flaw on Macs before Apple pushes out the fix for them.

The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated that it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said that the best "back doors" often look like mistakes.

Muller declined to address the theories.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Adam Langley, who deals with similar programming issues as a Google engineer, wrote on his personal blog that the flaw might not have shown up without elaborate testing.

"I believe that it's just a mistake and I feel very bad for whomever might have slipped," he wrote.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google's Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

In addition to intercepting data, hackers could insert malicious web links in real emails, winning full control of the target computer.

The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.

The bug has been present for months, according to researchers who tested earlier versions of Apple's software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it hadn't been used.

But documents leaked by former U.S. intelligence contractor Edward Snowden showed agents boasting that they could break into any iPhone, and that hadn't been public knowledge either.

Apple did not say when or how it learned about the flaw in the way iOS and Mac OS handle sessions in what are known as secure sockets layer or transport layer security. Those are shown to users by the website prefix "https" and the symbol of a padlock.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovitch, chief technology officer at security firm CrowdStrike Inc.

(Editing by James Dalgleish)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (11)
arbit3r wrote:
Very soon eh, so what 2 months? From history Apple is quite slow to fix things.

Feb 22, 2014 4:13pm EST  --  Report as abuse
smartnic wrote:
Macs are near the bottom of the Apple value hierarchy, so the last to be fixed.

Feb 22, 2014 7:24pm EST  --  Report as abuse
Appledystopia wrote:
I’ve been following this issue, as I am writing and article about it. The issue is that verification of the SSL connection doesn’t work, not that SSL itself doesn’t work. It’s a real long shot for a user’s device to be compromised. They’d have to type in an incorrect URL and there would have to be a malicious site with that domain ready to intercept their password. So this is like the proverbial camel going through the eye of a needle. There’s no news of anyone being affected, which seems reasonable. The press is really going Chicken Little over this, which is funny considering the security flaws with other operating systems. But I know, as well as anyone, that any flaw or issue with Apple products gets eyeballs on websites.

This is a mistake and not something that I’m happy about, as someone who uses Apple products. But it hasn’t really changed my behavior one bit. I installed the iOS patch on my iPhone, and will do it on my iPad soon. I’m still using my Mac. I’ve been using my Mac for 5 years without any anti-virus software. When I used a PC, even behind a corporate firewall with anti-virus software, my Windows PC would get infected about 2-3 times a year. One year, my development server got infected with Code Red (Nimda) 10 times. It turned out, another machine hadn’t been cleaned and would continually re-infect other servers.

Just make sure you have the correct URL in your browser and make sure that the SSL certificate of the site checks out. This bug affects SSL *verification* and doesn’t mean that SSL encryption doesn’t work. If you have a banking app, there shouldn’t be a problem. You’d have to download a malicious banking app, which Apple’s “walled garden” prevents.

In other words, update your devices, but don’t lose sleep over this. The sky is not falling.

Feb 22, 2014 8:04pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.