Saturday, February 22, 2014
Apple security flaw could allow hackers to beat encryption
from reuters.com
A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.
If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.
"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.
But a statement on its support website was blunt: The software "failed to validate the authenticity of the connection."
Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.
Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.
After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.
Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.
The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.
Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess.
The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.
Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw.
Subscribe to:
Post Comments (Atom)
Funny how all news lately about Apple is either how much money they take from people or it's about another vulnerability or flaw. More people are starting to wake up to their BS and lies.
ReplyDelete"Android remains a prime target for malicious attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture."
Deletehttp://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013
Apparently everyone assumes that Windows and Android are virus magnets. That's just a given. So when an Apple vulnerably appears, it's rare enough to be newsworthy.
Look at you trying to redirect. That's cute. It's clear that your very defensive about your precious Apple getting ass-raped. Why don't you start your own Android or Windows haters site.
DeleteFor one thing, I don't "hate" Android and Windows. I simply prefer Apple.
DeleteMaybe if haters were so happy and secure with their choice of platforms they wouldn't feel the need to criticize Apple at every opportunity. It seems like they have to take their rage out on someone.
Apple claims to have patched this for iOS but not for the Mac. http://grahamcluley.com/2014/02/critical-security-hole-ios-mac/
ReplyDeletegoto fail Apple
goto fail Apple
goto fail Apple
goto fail Apple
goto fail Apple
goto fail Apple
goto fail Apple
#vulnerable #fail #securityhole #applesucks
The Mac fix was posted yesterday.
DeleteActually, the fix for Mac still ain't there.
Deletehttp://www.theaggie.org/2014/03/06/attention-apple-device-users-bug-in-apples-security-code/
I know you desperately want to find fault with Apple, but that's not at all what your linked article says. It just restates the fact that the Mac fix came out on February 25, 4 days later than the iOS fix. There is no problem with the fix.
ReplyDeleteThe 4 day gap is what seems to have everyone so upset. In terms of actual damage, I've yet to hear that Macs were attacked during that interval.
Crawl back under your bridge.
Dude, this site is not about "finding fault" with Apple. If you had half a brain you would be able to tell it's about showing people that Apple products have faults and vulnerabilities just like any other brand. Many people are surprised to find out after they spent 2-3x the money on something that it still has problems. Apple is not perfect, NOTHING IS. I try to show this site to people BEFORE they buy Apple so they are well informed. You need to relax and go post your unintelligent comments on a gay Apple lovers site.
ReplyDeleteGay?? Seriously??
DeleteHey, if Apple lovers want to be gay, don't judge. Let them be.
DeleteIf naming the site applehaters doesn't indicate bias, I don't know what does.
ReplyDeleteAnonymous March 6, 2014 at 11:16 AM posted a link to an article supposedly supporting his assertion that "Actually, the fix for Mac still ain't there.", when in fact it confirmed just the opposite. That inability to comprehend is the effect that blind hatred has.
If this site hates on Apple because it is not "perfect", where is the outrage against its competitors who by comparison are so much less so?
This notion that Apple is perfect is a straw man constructed by haters. Apple customers are well aware that their products are not perfect. Every one of them can name several things they'd like to see improved. But understand, that most Apple loyalists have tried and owned competing products over the years, and have settled on Apple because overall it provides the best experience. And this is taking everything into account including price.
You cannot "hate" something without having an emotional investment in it. Just sayin' Let it go.
ReplyDelete