Q: Do I need to download the new security update fix for SSL connection
-
Feb 24, 2014 6:02 PMby Upwind,MadMacs0 wrote:
blue5ft3 wrote:
Thanks, I'll use Chrome until a fix is available then, and what do I do with my mail? Use my iPad I guess
Sorry, but it doesn't sound like I've adequately explained things. Exactly what are you concerned about? I think we've all said that you going to be safe on an adeaquately secured home network, so is there any reason to think that your not? Yes, your Maverics software is vulnerable to attack, but only if somebody is on the same network that you are using at the time. I have not heard anything that would lead me to believe there is such a person.
Unfortunately this is absolutely not correct. While "public" wifi is a primary concern it is far from the only concern.
SSL is meant to provide end to end security and validation. This bug effectively makes SSL useless. There are many potential vulnerabilities, exploits, and points of attack along the many various components between your Mac and the site you are using that would otherwise be mitigated by the use of SSL, but become much more critical in the face of this issue. A very simple DNS-related attack, for instance, would go unnoticed and what would be assumed to be protected sessions would in fact not be. There are also reports that there are exploits already in the wild to take advantage of this, and they are not limited to public wifi.
The short answer is that with this bug you are at risk, period. There are many ways that traffic can be otherwise intercepted beyond the first point of connection for your Mac You may be safer on a home network but you are definitely not safe.
-
Feb 24, 2014 6:06 PMby MadMacs0,Upwind wrote:
There are also reports that there are exploits already in the wild to take advantage of this, and they are not limited to public wifi.
A group of us are monitoring this in real-time and have seen no such reports, so it would be really helpful if you could provide some references.
I'll be back to respond to some of the other things you've said, but have hotter issues to tend to.
-
Feb 24, 2014 8:48 PMby MadMacs0,Sorry for the late reply, but the forum seems to have gone down for some unscheduled maintenance (and there still seem to be some problems).
Romko15 wrote:
Unfortunately I had to download Mavericks because my Yahoo mail wouldn't work right when they "improved" it, so now more problems.
Hadn't heard about that, but I think you'll be pleased with Mavericks in the long run.
I just learned about this Apple "flaw" and I use Safari. Should I be real concerned, especially since I get to share my network with my landlord who doesn't know why the Wi-Fi never works properly anyway?...should I use Firefox until Apple fixes the problem?
I think a bit of perspective would be in order. This flaw has been there for several months since Mavericks first came out (even longer for iOS 6) and I have seen no reported instances of it having caused any compromises. Admittedly, now that it's details are apparently well publicized, it shouldn't take the bad guys long to produce the tools necessary to exploit it (almost certainly in public places). Upwind seems to think they already are, but he needs to get back to us on that.
We all went though this once before several years ago when it was shown that a hacker with the appropriate tool could sit a few tables down from you at Starbucks and watch everything you were doing while logged onto the public Wi-Fi. One of the answers then was to press for broader adoption of SSL to encrypt key data while using such networks and there has been modest, but not universal progress in that area. Back then we had solid evidence that such hacking was taking place and the tool was available to anybody that wanted to download it, but there was little evidence that much of anything was compromised at the time or since.
I expect that patch to be released way before the hackers can get their tools developed and into wide-spread use. Since there are ways to mitigate such compromises while you wait, it would certainly be smart for users to do these things, just to make sure you aren't among the first to be hacked in this manner, but I don't believe it's anything to panic over.
I used to love my MAC, but in the last year ?????
If it makes you feel any better, Microsoft issues patches for problems just like this in Internet Explorer and Windows once a month, every second Tuesday. Sophos reports that they see over 95,000 potential new threats for Windows *every day*! Similarly with Adobe and Oracle.
-
Feb 25, 2014 9:42 AMby Upwind,MadMacs0 wrote:
I think a bit of perspective would be in order. This flaw has been there for several months since Mavericks first came out (even longer for iOS 6) and I have seen no reported instances of it having caused any compromises. Admittedly, now that it's details are apparently well publicized, it shouldn't take the bad guys long to produce the tools necessary to exploit it (almost certainly in public places). Upwind seems to think they already are, but he needs to get back to us on that.
We all went though this once before several years ago when it was shown that a hacker with the appropriate tool could sit a few tables down from you at Starbucks and watch everything you were doing while logged onto the public Wi-Fi. One of the answers then was to press for broader adoption of SSL to encrypt key data while using such networks and there has been modest, but not universal progress in that area. Back then we had solid evidence that such hacking was taking place and the tool was available to anybody that wanted to download it, but there was little evidence that much of anything was compromised at the time or since.
I expect that patch to be released way before the hackers can get their tools developed and into wide-spread use. Since there are ways to mitigate such compromises while you wait, it would certainly be smart for users to do these things, just to make sure you aren't among the first to be hacked in this manner, but I don't believe it's anything to panic over
That is the point - the tools already exist and have since the introduction of SSL. There is no development required - only the implementation.
To make this completely simple: anyone can claim they are 'Bank of America' for instance. The certificate chain does not need to be valid since it is never checked. An unknowing user would be legitimately using the real BofA site, all the while everything they are doing is being captured including passwords and other account details.
As another kicker - anyone can claim to be 'Apple' similiarly, and when one thinks they are downloading official updates (including the fix for this issue), they are in fact installing additional malicious code that does not originate from Apple.
A simple DNS intercept (by one of many methods that have already been out in the wild) is one method that can be used. In fact with the last couple of rounds of DNS issues it was noted specifically that the use of SSL would protect against these.
An interceptioin anywhere between your Mac and the site you are using - every provider, every piece of hardware, every network link, every proxy, every firewall, and pretty much every piece of software on any piece of equipment between those endpoints is a point of exposure. Every empoloyee at every one of those providers becomes a potential point of exposure. Even mistakenly clicking on a link/url has a new point of attack with this vulnerability (I won't get into more detail here)
This is not about creating a tool to exploit SSL or a weakness in SSL. It is that SSL provides no protection with this vulnerability, and those protections would otherwise have a very wide scope. SSL provides mitigation against a fairly large number of other exploits - exactly what it is meant to do by providing end/end security and validation.
As for knowing whether a compromise was made - that's what makes this even more risky. There would be no evidence until victims start to find the results of theft. It may not even occurr immediately - passwords can be captured and saved for later use or sale, for instance. It may never even be known or realized that this vulnerability was leveraged in the committment of those thefts since there would otherwise be no evidence.
-
Feb 25, 2014 11:56 AMby MadMacs0,APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
2014-001
OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
and addresses the following:
Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896
App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
preventing sandboxed applications from specifying arguments. This
issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
ATS
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of
handling of Type 1 fonts. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of
Mach messages passed to ATS. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach
messages passed to ATS. This issue was addressed through additional
validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach
messages passed to ATS. This issue was addressed by additional bounds
checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team
Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated.
The complete list of recognized system roots may be viewed via the
Keychain Access application.
CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies. This issue does not affect systems
running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett
CoreAnimation
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's
handling of images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group
CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling
of Unicode fonts. This issue is addressed through improved bounds
checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs
curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing
an IP address, the IP address was not validated against the
certificate. This issue does not affect systems prior to OS X
Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH
Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of
the connection. This issue was addressed by restoring missing
validation steps.
CVE-ID
CVE-2014-1266
Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup
command to require administrator privileges to change the system
clock.
CVE-ID
CVE-2014-1265
File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to
an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file
names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259
Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users
gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs
on the file. This issue was addressed through improved handling of
ACLs.
CVE-ID
CVE-2014-1264
ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt
LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego
NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary
code execution within the graphics card
Description: An issue existed that allowed writes to some trusted
memory on the graphics card. This issue was addressed by removing the
ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
CVE-2013-5987 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may have led to arbitrary code execution. These
issues were addressed by updating PHP to version 5.4.22 on OS X
Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420
QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may have led to an unexpected application
termination or arbitrary code execution. This issue does not affect
systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team
QuickLook
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document
may lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in QuickLook's handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'dref' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the
handling of 'ttfo' elements. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
To address these issues for applications using Secure Transport, the
1-byte fragment mitigation was enabled by default for this
configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong
OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.
OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
