Posted on 02/25/2014 10:09:15 AM PST by nickcarraway
Security experts call recent iOS software bug 'scary'
A "scary" software flaw that has put users of iPhones, iPads and Mac computers at risk of being hacked has dealt a blow to the reputation of Apple, the world’s most valuable brand, say security researchers.
Tech watchers say this bug — which Apple quietly announced on Friday — illustrates that the company’s reputation for strong security may be overstated.
"People in general feel, 'It's Apple, so it's secure'," says Brian Bourne, co-founder of Toronto's annual SecTor cybersecurity conference.
“Whereas the truth is that Apple operates within the same bounds as every other software provider, so they’re just as likely to have security vulnerabilities as anybody else.”
Johannes Ullrich, dean of research for the Internet Storm Center, which monitors online threats, goes even further: he calls Apple’s security reputation “a myth.”
Apple’s latest security flaw became public on Friday when it released iOS 7.0.6, explaining that the newest version of its mobile operating system had fixed a bug pertaining to safe browsing.
In explaining the flaw, Apple said that "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS."
SSL/TLS is an encryption standard that enables a web browser to talk to a web server to verify that a site is not a fake set up by hackers to steal personal information on your computer or hand-held device. It's used by banks, credit card companies and government agencies to keep transactions secure.
The iOS bug interfered with this process, making it difficult for applications such as Apple’s Safari browser to confirm that web sites were legitimate.
Popularity breeds vulnerability
In a blog post entitled “Why Apple's Recent Security Flaw Is So Scary,” Gizmodo managing editor Brian Barrett said the bug makes Apple users vulnerable to a so-called “man in the middle attack.”
That type of cryptographic attack involves an attacker eavesdropping on communications between your browser and a given website, including anything from private conversations to financial information.
As a result of this bug, “someone could trick you into connecting to a lookalike website and you wouldn’t be able to tell by looking at the SSL information coming back from that website,” says Ullrich.
SecTor's Bourne says that Apple’s reputation for security is largely due to the fact that its operating system is more restrictive in what it allows installed software programs to do.
But consumer fascination with mobile products such as the iPhone and the iPad has made Apple a more desirable target for hackers, says Urs Hengartner, an associate professor in the University of Waterloo's computer science department at the University of Waterloo.
“Many of the [hacking] exploits are deployed and developed by criminals who make money, so they go after the popular platforms,” he says.
When it comes to Apple products, “we haven’t seen that many security flaws, at least not public ones," says Hengartner. But he echoes the feeling of many in the software community, who say that when Apple does identify a problem in its code, it is slow to respond with an update.
A turning point?
Bourne estimated that this recent, problematic version of Apple’s iOS has been “on the street since October," when the company introduced a patch to fix problems with the launch of its new operating system.
With the latest release of iOS 7.0.6, Apple said it had fixed the bug on mobile devices, but the problem still exists for OS X, which is the operating system for Mac computers.
In a statement about that outstanding problem, Apple said, “We are aware of this issue and already have a software fix that will be released very soon.”
Bourne notes that Apple does not have a sterling reputation in the cybersecurity community, which congregates on websites and online forums to report bugs and share proposed fixes.
“I think most people who try to report [software] vulnerabilities to Apple have been frustrated,” says Bourne. “They don’t engage in the security community in the same way” as other companies, particularly Microsoft, which actively confers with the community to identify bugs and fix them quickly.
In terms of security, Microsoft has made great strides in the last decade, says Bourne. In the 1990s and early 2000s, Microsoft was issuing so many security patches to its operating systems that they gave it a name: “Patch Tuesdays,” which took place on the second Tuesday of every month.
Ulrich says that a key moment for Microsoft was the Blaster worm, a computer virus that infected machines running Windows XP and Windows 2000 in August 2003. The scope of the infection forced Microsoft to focus greater attention on the security of its operating systems, he says.
Hengartner thinks with the latest iOS security flaw, Apple may be reaching a similar point.
“They’re in the same situation that Microsoft was 10 to 15 years ago,” he says.
It was my impression that the main reason Apple has not attracted nearly the volume of successful attacks is because (a) its installed base is much smaller than Windows, and (b) banks and financial institutions tend to use Windows rather than Apple machines.
The iPhone, iPad, and iPod products have vastly increased the number Apple products in everyday use. Because the operating software of these products is virtually identical, they become worthwhile targets for the hacking community.
As a long-time Windows user and programmer, I have no problem acknowledging that Apple has always done a better job on software QA than you see in the Microsoft world. There are many reasons for this; some can be traced to deficiencies in Microsoft the company, but others are simply the result of Microsoft’s more open architecture and business model. This, in turn, traces back to deeply-held philosophical (and even personality) differences between Steve Jobs and Bill Gates, and go back to the beginning of the personal computer era.
Who didn’t know this? But when you have tech news reporters that actively play down problems, an ad departmentment that put out false claims of Apple’s imperviousness to threats, and a fanbase that religiously parrots these claims, then who could blame your average joe for buying into it and then getting hit by this stuff with no protection?
OS-X is based on BSD Unix.
Inherently more secure, although being stupid can make it quite insecure. There is no system on the planet that will completely prevent attacks if someone opens the wrong link or gives out the wrong information.
Sort of like starting with a solidly build house; all you areally need to do is lock the doors and windows and set the alarm. It seems to this non expert that Windows based machines are more akin to trying to secure a cheaply built shack: if you are smart and pay attention you can make it secure enough to discourage all but the most skillful attackers.
The proliferation of I-pads and I-phones using this operating system is a tempting target for hackers especially since most of their users falsely assume their systems are invulnerable and do not take precautions about using unsecured Wi-Fi networks. I would expect to see the Android OS similarly hacked in the future.
Bears repeating. Also, they are all excited about getting something for nothing.
These types should know...if someone gives you something for nothing, you are not the customer, you are the product.
Been using Windows everyday since 3.1 (late 1980’s) and Macs everyday since OS7/1996. The Apple community (via Mac publication like Mac Addict, Mac Life, Macworld) have been warning and recommending that users employ safety precautions such as “virus protection and malware protection since the 90’s and currently. The view has always been that eventually virus writers and malware writers would attack the Mac/Unix operating system. One thing that has offered some protection for Mac OS over Window OS has been the fact that nothing gets installed on a Mac without the user confirming the installation is something they want to do. Note Windows 7 now confirms any changes to the operating system before loading any new program on the Windows 7 machine (have to believe Windows 8 offers the same safety feature).
What’s my point? Misinformation about the vulnerability of Mac OS does not originate from the Mac community. It originates from people that “logically” believe the relatively few Mac viruses compared to the 287,000 (according to Spybot) to 1,100,000 MS Dos/Windows viruses (according to Symantec) means Macs are safer.
BTW: Macs can get a Windows virus if they run Windows programs in emulation or they download a Windows virus within a XL or Word Doc (and although they will not suffer the effect of the virus within the Mac Operating System they can inadvertently spread the virus back to a Windows box by sending the virus laden spread sheet of Word Doc to a Windows user.
The security update Mac just employed has nothing to do with viruses and everything to do with a browser vulnerability that could allow some Mac users to be hacked if they are using their iPhone/iPad or Mac computer on an unprotected wi-fi network (what you might find at the library or coffee shop).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.