Apple leaves Mac OS X coding error unpatched; Sophos expert creates unofficial patch

CorporateSecurity TipsSophosLabsAppleiOSMacNaked Security

OSX-MavericksThis past weekend, Mac users were under threat from an OS X security hole that Apple had left unpatched for several days after its discovery by researchers. Sophos expert Paul Ducklin picked through the offending code, and reports at Naked Security that the bug could allow hackers to compromise unpatched OS X Mavericks users with what’s known as a Man-in-the-Middle (MiTM) attack.

Apple doesn’t usually disclose any information about vulnerabilities—not even to say whether it is working on a fix—until a security update is out. But in this case the company broke with protocol to admit the bug and promised that it would publish a patch “very soon.” Apple, late on Tuesday, released a patch for this vulnerability with update OS X 10.9.2. An update for iOS, which led to the discovery of the same flaw in OS X, is available for versions prior to iOS 6.

Before Apple could rush out its patch, Duck rustled up his own unofficial security patch, although he warns, “This isn’t a true fix—rather treat it as a handy learning exercise if you are technically keen and curious.” Read on to learn more about the coding error that leaves Mac users who don’t have this patch vulnerable.

Duck reports that the buggy code could allow users of Mac OS X 10.9 (Mavericks) to be tricked by cybercriminals into accepting SSL/TLS certificates that ought to be rejected. SSL/TLS is the backbone of secure web browsing (HTTPS), and it relies on so-called cryptographic certificates to prevent just anyone from pretending that their imposter website is the real thing.

Usually, an SSL certificate is what stops a crook from sitting on the network between you and your bank—that’s the “Man in the Middle” part—intercepting your web traffic and modifying your communications to take advantage of you.

But this newly-discovered OS X bug means that OS X may tell you an imposter certificate is fine when it isn’t.

As Duck explains, the Apple programmer merely repeated a single line of code accidentally, causing a vital security check to be bypassed. Because this tiny mistake is in a system library that is used widely by Apple applications, numerous programs are affected, from Safari and Mail, through the iWork suite, to Apple’s Software Update utility itself.

To be on the safe side until Apple fixed the bug [A patch is now available in OS X 10.9.2], Duck recommended that Mac users take these three precautions.

1. Avoid insecure Wi-Fi networks. An attacker could trick you into visiting an imposter HTTPS site by using a poisoned public Wi-Fi access point. Even if you are connecting to a password-protected Wi-Fi access point, you could be vulnerable. If you need a Wi-Fi connection, use a VPN for an encrypted data path.

2. Avoid Safari. Several alternative browsers, notably Firefox, Chromium and Chrome, are immune to this bug. You can switch back to Safari after Apple’s patch is out.

3. Use a web filtering product that can scan HTTPS traffic. Products like the Sophos Web Appliance and Sophos UTM will reject the imposter SSL certificates that OS X would accept.

Anatomy of the Mac OS X “goto fail” bug and an unofficial patch

The programmers among you will definitely want to read the article at Naked Security for Duck’s cogent analysis of the coding error that makes this attack possible. You should also check out his unofficial security patch, but please, for educational purposes only.

As Duck advises, this patch exists only:

  • To demonstrate that emergency “fixes” don’t always truly fix, but often can do little more than work around problems.
  • To show what C code looks like when compiled to assembler.
  • To give some insight into how unauthorized hacks, for good and bad, can be achieved.
  • For fun.

Note: This post was updated to show that Apple released a patch in OS X 10.9.2. Mavericks users, make sure your system is up to date.

3 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s