Apple SSL Bug In iOS Also Affects OS X 140
Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found. Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."
NSA (Score:5, Interesting)
Some bloggers and commentators online (no mainstream media news sites... yet) have suggested that this bug was introduced by the NSA based on the fact that Snowden's leaked slides showed evidence that the NSA had developed and was working on further ways of targeting and compromising secured iOS traffic.
We know the NSA compromised RSA through Dual EC_DRBG. It's not hard to imagine they wanted to compromise SSL/TLS on Apple platforms.
The bug was found via internal code review according to the credits for discovery, which means nobody else has disclosed they knew about this in the wild (so this is an exposed zero day crypto exploit on both OS X and iOS platforms).
This link is informative - the kicker is he properly indented but obviously duplicated and incorrect "goto fail;"
https://www.imperialviolet.org... [imperialviolet.org]
static OSStatus ...
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) ...
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Maybe this came out due to bad coding practices, but the kind of bug where the code visually looks ok on the surface, compiles and passes without compiler warnings, and works fine aside from allow the comprise is very suspect.
And at the minimum the NSA has been exploiting this rather than alerting people. Our government needs to stop weakening computer security and go back to working for the people, not against them.
Re:Lets see how far back... (Score:3, Interesting)
No, that's not correct at all. First, it doesn't affect 10.8.5, either, which blows that theory. Second, Secure Transport was introduced way back in 10.2, and has been used for Foundation and Core Foundation SSL negotiation since at least 10.4, according to various security vulnerability reports (and probably earlier). In other words, this has absolutely nothing to do with Apple "switching" anything. It's just a bug, and a fairly recent bug at that.
Re:NSA (Score:4, Interesting)
This bug looks like the sort of bugs that can come from merging between different code branches in very large codebases. A duplicated line, or a missing line, is a common merge-conflict resolution, *especially* where essentially the same code was added in both branches and then merged together. As an example, if this was a refactor of an existing function that was made similarly in two branches, but a little extra trailing whitespace was clipped in only one branch, then you could get a duplicate line out of an automerge operation.