Get the most reliable Cloud Servers. Click here to order.


SureMail™ is the most reliable email service there is. Get less spam and less email virusses. Unlimited autoresponders. Learn more by clicking here.


Find out the difference between the Windows and Linux operating systems. Click here.
SureMail™ is the most reliable email service there is. Get less spam and less email virusses. Unlimited autoresponders. Learn more by clicking here.


Get the most reliable Linux dedicated server at the best price. Click here.


Get the most reliable Cloud Servers. Click here to order.

Apple admits to a security issue with Mac OS X 10.9.1

Share on Twitter.

Get the most dependable SMTP service for your business. You wished you got it sooner!

February 25, 2014

Earlier this morning, Apple has admitted to a security vulnerability in Mac OS X 10.9.1 that allows hackers to intercept and decrypt SSL-encrypted network connections.

The company has promised to release a fix very soon. Sensitive information, such as bank card numbers and account passwords sent over HTTPS, IMAP and other SSL-protected channels from vulnerable Mac computers could easily end up in the hands of attackers as a result of this security flaw.

Apple issued security updates for versions 6 and 7 of its mobile operating system iOS on Friday to address the same flaw in iPhones, iPads and iPods.

However, it quickly became apparent that the security vulnerability also exists in desktop and laptop computers running Mac OS X Mavericks, the latest public release of Apple's desktop OS.

The security flaw was created by a trivial programming cock-up, which causes Apple's SSL/TLS library to skip over vital verification checks of a server's authenticity when establishing a connection.

A malicious router, Wi-Fi access point or other man-in-the-middle system could exploit this to silently masquerade as a legitimate website or online service, and thus intercept, read and tamper with the private contents of a victim's supposedly secure connection.

Overall, Apple's Safari web browser and Mail client running on OS X 10.9.1 are vulnerable to SSL snoopers because they rely on the broken crypto-library.

Other Apple apps such as Facetime and iMessage, and third-party programs using Apple's crocked code, are all faulty as well. Google Chrome and Mozilla Firefox are not vulnerable because they don't use the now insecure SSL library.

Tech-savvy users can use the tool command-line utility to determine whether an application is vulnerable by inspecting the libraries it loads.

Apple's broken SSL library is version 55471, so grepping for that number from otool's output will reveal whether the program is using the knackered Security framework.

"We are aware of this issue and already have a software fix that will be released very soon," said Apple spokeswoman Trudy Muller.

Meanwhile, someone has set up a website called gotofail.com, a reference to the C code issue at the heart of the problem, so that users can check whether their web browsers running on OS X 10.9.1 are vulnerable to the bug or not.

In other OS News

Internet security researcher Jay Freeman has detailed yet another security flaw in the pre-4.4 version of the Android operating system which, similarly to the notorious APK vulnerability exposed earlier this year, opens a hole that malware can sneak through the OS.

Freeman – whose previous credentials include security analysis of Google Glass and uncovering the dodginess of the “iMessage for Android” app – has written in a blog post that he uncovered the extra security vulnerability in June, but waited until Android 4.4 (with a fix) was shipping.

In brief, the extra APK security vulnerability offered a path for an attacker to exploit the way Android used Zip file headers to verify the software. As Freeman explains, Zip still carries an obsolete of its history around with it: lots of filename redundancy in case files had to be split across multiple floppy disks.

To help a program navigate a file, the header includes a field for filename length – this lets an extractor navigate to where the file data is, by skipping the header.

As Freeman writes, the issue is this-- “The Java code in Android 4.3 and earlier, that extracts the file data to verify it, uses the filename length from the central directory. But the C code that extracts the file to install and execute it uses the filename length in the local header.”

A potential attacker could then take a verified app, add their malware, and modify the header length the C-code loader uses to point not to the legitimate app, but to the malware.

As he says-- “The central directory includes a file offset for each local header, so that once the Java code has finished verifying a file, it can jump directly to the next one, thus avoiding the local header data that would cause it to skip forward incorrectly."

In other words, the imposter data, squeezed between the legitimate file and the next local header, is simply ignored.

The fix in that version of Android is to force Java to look at the same data as the C-loader so that a discrepancy is identified.

Source: Apple.

Share on Twitter

Get the most dependable SMTP service for your business. You wished you got it sooner!




home | news archives | advertise with us | contact

Copyright © OS Today.   

All logos or service marks on this website are the property of their respective companies.