Skip to footer

Apple security fixes raise questions

Apple released a security fix for Mac OS X Mavericks on Tuesday, four days after distributing an update for iOS that patched a previously unknown software vulnerability. Why did it take Apple so long to release an update for Mac OS X, and why was there a bug to begin with?

|
Petar Kujundzic/Reuters/File
Security guards and staff stand at the entrance of an Apple store during the release of iPhone 5 in Beijing's Wangfujing shopping district, in this December 2012 file photo. Apple recently released two security fixes to iOS and OS X Mavericks after a major security flaw was revealed.

On Tuesday, Apple announced that it had fixed a flaw in its Mac OS X Mavericks software, four days after Apple made a similar fix for iOS devices. Just because the problem is fixed, however, doesn’t mean that Apple users’ data wasn’t compromised. Now researchers and security experts are questioning why Apple didn’t catch the bug sooner – or offer a patch for both iOS and OS X Mavericks at the same time.

The newest version of Mac software, OS X 10.9.2, fixes a bug in encryption protection that left user data vulnerable. Essentially, the flaw prevented computers from validating whether a security certificate was real or fake. Instead, it processed all certificates as real – whether it came from a bank or a fraudulent website. This would allow hackers to view communication over desktop apps such as Mail and Safari, and potentially intercept usernames and passwords.

This problem was patched in iOS devices (iPhone, iPod Touch, and iPad) four days earlier, when Apple first disclosed it had discovered the issue.

Apple urged users to download the new iOS and Mac OS X software as soon as possible to avoid any vulnerability.

The potential hack could only happen when a user was on the same wireless network as the hacker, so experts say be sure to download the new software before logging onto a network at places such as a coffee shop or library.

Now that the flaws are fixed, questions about how Apple could have let this bug go unnoticed have begun to pop up. Researchers have already found the bug in operating systems dating as far back as iOS version 6, which was released in September 2012. There are also questions as to why it took Apple extra days to fix the Mac OS X flaw, when the certificate validation bug apparently was an issue stemming from a single line of code – just missing brackets, according to Reuters. So far Apple has not offered an explanation.

Security researchers confirmed that during these days between the iOS and OS X Mavericks updates, they were able to exploit the bug. Aldo Cortesi, a New Zealand security researcher posted a blog Tuesday where he claimed he had infiltrated app store and software update traffic, iCloud data, data from the Calendar, and Reminders, among others.

“It's difficult to over-state the seriousness of this issue,” he writes. “With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment.”

The last part means that a hacker could potentially latch on to the new update while it is being downloaded, using the flaw in the old operating system. In other words: don’t download the new OS X or iOS while logged onto a public network.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Apple security fixes raise questions
Read this article in
https://www.csmonitor.com/Technology/2014/0226/Apple-security-fixes-raise-questions
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe