If you’re an Apple user, you should have been notified of the latest updates to iOS and OS X.
Official updates are available for the most recent three OS X versions via the App Store or as standalone installers:
- OS X 10.11.3 El Capitan. (Upgrade from 10.11.2 only.)
- OS X 10.11.3 El Capitan Combo. (Upgrade from any earlier 10.11 version.)
- Security Update 2016-001 for Yosemite. (Previous OS X, 10.10.)
- Security Update 2016-001 for Mavericks. (Pre-previous OS X, 10.9.)
You definitely want this OS X update, because of the security holes it fixes.
In the El Capitan update, for example, Apple has patched six bugs listed as “a local user may be able to execute arbitrary code with kernel privileges”, which means that any malware or other untrusted code that reached your Mac could have acquired unlimited powers – without popping up any password prompts.
Additionally, a libxslt bug that could be triggered via your browser is listed as “visiting a maliciously crafted website may lead to arbitrary code execution.”
It’s the usual story that remote code execution (RCE) and elevation of privilege (EoP) bugs should never be seen in isolation, because the two can be combined to provide total remote compromise.
But that’s not what this article is really about!
The most interesting bug of the lot is this one, fixed in the iOS 9.2.1 update:
WEBSHEET Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious captive portal may be able to access the user's cookies Description: An issue existed that allowed some captive portals to read or write cookies. The issue was addressed through an isolated cookie store for all captive portals. CVE-2016-1730 : Adi Sharabani and Yair Amit of SKYCURE
The Skycure researchers have now described the hole they found, and it’s both interesting and important at the same time.
CAPTIVE PORTALS
You know how your iPhone tries to detect when a Wi-Fi hotspot is trying to redirect you to a login page, known as a “captive portal”, and then displays the captive portal in a special pop-over browser window?
Greatly simplified, iOS does this by fetching the URL…
http://www.apple.com/library/test/success.html
…and waiting for the captive portal to redirect the request to its own sign-up page.
Usually, instead of seeing Apple’s real “success.html” page, which just contains one word, Success, you see the login page served up by the captive portal.
That page is whatever mix of HTML, stylesheets, JavaScript, images and so forth that the hotspot provider wishes to present.
This means you can interact with the captive portal, including signing up and agreeing to terms and conditions if necessary, in order to deactivate the captive portal and activate regular access to the internet.
SHARED COOKIES
The Skycure researchers noticed that iOS incorrectly shared web cookies already set in mobile Safari with the captive portal page, as well as sharing new cookies set in the captive portal back with mobile Safari.
That could allow a malicious captive portal to pull off numerous tricks:
- If you were already logged in to various online services, the portal could steal your authentication cookies and later pretend to be you. Your accounts could be hijacked, just like Firesheep all over again.
- If you weren’t logged in, the portal could login as someone else, and set authentication cookies for later. You’d think you were logged in, but your subsequent interactions with services such as social media accounts would happen under someone else’s name.
- The portal could send back booby-trapped replies pretending to be other people’s web pages, along with HTTP headers to mark the bogus content as cacheable for later. These booby-trapped pages could poison your subsequent browsing, for example by tricking your browser into using malicious JavaScript, or by swapping images such as [Allow] and [Deny].
A LONG FIX
Believe it or not, Skycure states that “we reported this issue to Apple on June 3, 2013. This is the longest it has taken Apple to fix a security issue reported by us.”
Given the potential severity of this bug, it’s to Skycure’s credit that the company kept faith with Apple and didn’t go public until the fix was finally ready:
It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users.
And, in conclusion, Skycure notes:
Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly.
We agree – head to Settings | General | Software Update to make sure you’re patched.
Patch early, patch often!
Image of iPhone and Wi-fi logo courtesy of Shutterstock.