Apple Issues Fix for Security Problem on Macs - New York Times (blog)

A bug in Apple OS X Mavericks software prevented the validation of encryption certificates from supposedly secure servers.Mario Anzuoni/Reuters A bug in Apple OS X Mavericks software prevented the validation of encryption certificates from supposedly secure servers.




Apple has finally issued a security update to its OS X Mavericks software for Macintosh computers, patching a bug that could have let hackers eavesdrop on supposedly encrypted connections and steal everything from usernames and passwords to location data.


Version 10.9.2 comes four days after Apple patched iOS, its mobile operating system, to close the same hole. The OS X update addresses several security issues, including the so-called “goto fail” code bug, which Apple said could allow an attacker to capture or modify data in sessions users believe are protected by the Secure Sockets Layer (SSL) or Transportation Layer Security (TLS) encryption methods.


The flaw is extremely serious, and any Mavericks users who haven’t yet updated their OS should do so immediately. In a nutshell, the bug prevents the validation of encryption certificates from supposedly secure servers. So, your Mac or iOS device could think it has received a signed encryption certificate from your bank’s website, but there’s no way to validate that the certificate came from the bank — it could be from a fraudulent website pretending to be the bank and gathering personal data as you type.


The errant code affected Apple’s Safari browser as well as iCloud, the Mail email client and any other applications created by Apple, because the company uses its own implementation of SSL/TLS. Since the flaw became public on Friday, when Apple issued its update to iOS, security researchers have been demanding updates to OS X Mavericks.


It’s unknown whether active exploits were created, but a New Zealand security researcher reported today that he wrote a proof-of-concept program that successfully captured supposedly secure data on unpatched iOS and OS X devices.


“Nearly all encrypted traffic, including usernames, passwords and even Apple app updates can be captured,” Aldo Cortesi, of the security consulting firm Nullcube, wrote on his blog. “It’s difficult to overstate the seriousness of this issue.”


It’s also unclear how long the bug has been in OS X and iOS. It seems to have appeared in OS X with the release of version 10.9 in October 2013, but it existed in iOS as far back as version 6, released in September 2012.


A Google engineer named Adam Langley was one of the first to write up the specifics of the “gotofail” bug and noted that “this sort of subtle bug deep in the code is a nightmare. I believe that it’s just a mistake, and I feel very bad for whoever might have slipped in an editor and created it.”


No doubt, there will and should be questions over the next few days about how and when Apple became aware of the bug, why it wasn’t caught and why it took so long to release a fix for OS X.


Since the flaw became public on Friday and in Apple’s own published source code before that, it’s safe to assume that millions of users could have been exposed to “man in the middle” attacks that compromised email, usernames, passwords, calendar updates and even location data.


So if you haven’t already updated your iOS devices and your Macs, you’ve got some patching to do — and so do I.






via apple - Google News http://ift.tt/1pqjHxC

0 comments:

Post a Comment