Apple flipped the update switch for a number of its products Tuesday including iOS, OS X, Pages, Numbers, and Keynote, and for the Airport Extreme. As the downloads commenced and users looked to change logs, it was discovered that the security components included in the updates for iOS, OS X and the Airport Extreme all contained serious fixes that need to be addressed.
The iOS and OS X updates affect iPhones and iPads and some Macs running versions of OS X Mavericks 10.9.2 and Mountain Lion 10.8.5. It has been listed as a critical patch users should install it as soon as possible. The patch corrects a crypto bug known as a “triple handshake.”
From Ars Technica:
The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such “man-in-the-middle” attackers could exploit the bug by abusing the “triple handshake” carried out when secure connections are established by applications that use client certificates to authenticate end users.
And from Apple:
Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
“Description: In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”
These security patches come three months after Apple and its users had to deal with the GoToFail bug which was also related to SSL encryption. Apple patched that flaw within four days of the news breaking related to GoToFail. The difference with this “triple handshake” bug is that Apple was not reacting to public news of a security flaw while seeking to patch the vulnerability.
Users can acquire the updates for their iPhones and iPads via Software Update and for their Macs via the Mac App Store. For iOS devices running versions of iOS 7, the security patches were included in iOS 7.1.1. The update is for iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later.
The update for the Airport Extreme had to do with the now infamous Heartbleed bug. It affects only the latest model of the Airport Extreme and Airport Time Capsule, both issued in June 2013. Only those models with Apple’s “Back to My Mac” feature enabled were potentially affected. The update corrects a Heartbleed OpensSSL flaw. Older Airport Extremes and Time Capsules were not affected.
The Heartbleed Bug is a flaw in the OpenSSL cryptological library, an open source encryption protocol that as much as two-thirds of the Internet uses to encrypt communication between websites, Apps, services and users. Email, messaging, VPNs, Apps, as well as ordinary websites could be impacted. Estimates are that over 500,000 sites may have been affected although many have been patched in the wake of the news.
For over two years encrypted data stored on servers had been left open to theft along with the encryption keys for that data. If malefactors took both the encrypted data and the crypto keys to decode it, it was as if no encryption protection had been afforded in the first place. Websites and services that do not implement a patch provide a potential threat going forward.
In OpenSSL there is unfortunately no logging of activity that would show a record of malicious activity, and thus many websites and Apps are had to assume data may have been compromised.
Users who need to apply the patch for the Airport Extreme or Airport Time Capsule should use the AirPort Utility for Mac or iOS version 6.3.1 or later on Mac OS X, or 1.3.1 or later for those on iOS. Instructions can be found here.