Apple security fixes raise questions
Apple released a security fix for Mac OS X Mavericks on Tuesday, four days after distributing an update for iOS that patched a previously unknown software vulnerability. Why did it take Apple so long to release an update for Mac OS X, and why was there a bug to begin with?
On Tuesday, Apple announced that it had fixed a flaw in its Mac OS X Mavericks software, four days after Apple made a similar fix for iOS devices. Just because the problem is fixed, however, doesn’t mean that Apple users’ data wasn’t compromised. Now researchers and security experts are questioning why Apple didn’t catch the bug sooner – or offer a patch for both iOS and OS X Mavericks at the same time.
The newest version of Mac software, OS X 10.9.2, fixes a bug in encryption protection that left user data vulnerable. Essentially, the flaw prevented computers from validating whether a security certificate was real or fake. Instead, it processed all certificates as real – whether it came from a bank or a fraudulent website. This would allow hackers to view communication over desktop apps such as Mail and Safari, and potentially intercept usernames and passwords.
This problem was patched in iOS devices (iPhone, iPod Touch, and iPad) four days earlier, when Apple first disclosed it had discovered the issue.
Apple urged users to download the new iOS and Mac OS X software as soon as possible to avoid any vulnerability.
The potential hack could only happen when a user was on the same wireless network as the hacker, so experts say be sure to download the new software before logging onto a network at places such as a coffee shop or library.
Now that the flaws are fixed, questions about how Apple could have let this bug go unnoticed have begun to pop up. Researchers have already found the bug in operating systems dating as far back as iOS version 6, which was released in September 2012. There are also questions as to why it took Apple extra days to fix the Mac OS X flaw, when the certificate validation bug apparently was an issue stemming from a single line of code – just missing brackets, according to Reuters. So far Apple has not offered an explanation.
Security researchers confirmed that during these days between the iOS and OS X Mavericks updates, they were able to exploit the bug. Aldo Cortesi, a New Zealand security researcher posted a blog Tuesday where he claimed he had infiltrated app store and software update traffic, iCloud data, data from the Calendar, and Reminders, among others.
“It's difficult to over-state the seriousness of this issue,” he writes. “With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment.”
The last part means that a hacker could potentially latch on to the new update while it is being downloaded, using the flaw in the old operating system. In other words: don’t download the new OS X or iOS while logged onto a public network.