Apple criticised despite fixing iOS 7 and OS X flaws

Apple has been criticised despite correcting various security flaws on iOS 7 and OS X Lion and Mountain, with one such bug allowing hackers to intercept data via an SSL connection in a Man-in-the-Middle (MiTM) attack.

Apple criticised despite fixing iOS 7 and OS X flaws
Apple criticised despite fixing iOS 7 and OS X flaws

By rolling out iOS 7.1.1 and Mac OS X Security Update 2014-002 on Tuesday, the Cupertino giant looks to have corrected more than 19 flaws in total, including an HTTP vulnerability that allowed hackers with privileged access to obtain website credentials, and an SSL bug which could potentially be used by cyber-criminals to capture data, including passwords, and change operations. 

On OS X Maverick devices, there was a buffer overload flaw which could have led to remote code execution on iPhones and iPads. 

This news comes less than three months after Apple and its users faced the GoToFail bug – also related to a flaw in the SSL encryption – and weeks after the news  broke on the Heartbleed OpenSSL bug, believed to affect two in three websites and as many as 150 million downloaded Android apps (according to analysis from FireEye).

Prior to releasing the fix, Apple detailed the SSL vulnerability as follows in its advisory note

“In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. 

“To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection,” it reads. 

The iOS 7.1.1 update also fixes other flaws such as memory corruption issues (there were 16 in total) on WebKit – the open-source browser engine used by Safari, Dashboard, Mail, and other OS X applications – which could lead to arbitrary code execution, while the iPhone 5s fingerprint sensor has been improved, after complaints that it was inaccurate and less responsive over time. 

The news, however, hasn't stopped respected infosec professionals from attacking Apple on the roll-out of these security updates. 

Kristin Paget, a white hat hacker who worked on Apple's security team for a year, slammed the company for fixing the same 16 iOS vulnerabilities that were addressed three weeks earlier in a separate update for OS X users. 

This, as some commentators have explained, could have given hackers the opportunity to reverse engineer the fixes for one platform or even develop potent exploits to use against bugs unpatched on iOS. 

She wrote: “Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don't see anything wrong with this? 

“Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms—but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

"In what world is this acceptable?”

 

Chris Boyd, security researcher at Malwarebytes, agreed that it was a surprise that Apple didn't fix the flaws at the same time.  

“It's surprising that the lack of synchronicity in relation to security updates on Apple products is still taking place after a similar situation arose back in February,” he told SCMagazineUK.com

“Telling everybody "We've fixed it here, but not there" seems like a good way to invite attacks on the unpatched cousins living on the other side of town. Having a vulnerability like this out in the wild for any period of time can quickly become an open door for malware and it is something that all major technology providers should seek to avoid.  This is true for both consumer and enterprise platforms.”