Apple’s endpoint protection weakened by vulnerability

by Charles Leaver

February 24, 2014

access_time 5 min read

The exposure of a vulnerability in Apple's encryption software has called into question the security of operations for its users. What began as a vague warning message from Apple to its customers quickly became a conversation about the importance of having the most efficient endpoint protection standards in place to protect against a breach that could expose privileged user information.

"For the protection of our customers"
In a Feb. 21 security content update to customers, Apple alluded to the presence of a vulnerability in devices operating on iOS 7.0.6, including the iPhone 4, iPod Touch 5th generation and iPad models 2 and beyond. The problem in the security infrastructure would enable "an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS," Apple reported. However, the company did not go much beyond that as far as specifying the nature of the vulnerability and how it came about. Apple pointed to "the protection of our customers" as the reason it wouldn't elaborate on the particulars of the issue.

However, Apple's deference to customer safety did not prevent outside experts from launching their own investigation. Shortly after the company's announcement, independent investigators like Adam Langley - whose day job is in infrastructure at Google - set out to pinpoint the vulnerability and the extent of its reach. What Langley and others found shocked them. They discovered that the problem did not only affect iOS 7.0.6 users, as Apple's release had implied. It was more pervasive than that, spreading across OS X devices as well.

That is because the problem is rooted in Apple's Secure Transport software that provides endpoint protection solutions across many different pieces of software on both mobile and computing devices. As Computer World pointed out, the glitch with Secure Transport is a relatively small one, but its potential consequences are decidedly larger, since the glitch allows malicious third parties to pose as genuine Web services and then begin extracting user data.

Computer security engineer Alex Radocea was another independent party who, like Langley, set out to ascertain the severity of Apple's error. He found out that the flaw enables potential hackers to easily bypass the initial SSL verification walls it has in place. Once these walls are scaled, it is easy for a hacker to merely assume the identity of a valid endpoint and begin a covert attack.

"An adversary [can] masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server," Radocea wrote.

Apple trying to find solutions
For its part, Apple is not standing idly by and watching this bug invade its system. Accompanying its security announcement on Feb. 21, the company released a bug fixer for iOS 7.0.6 users designed to correct the vulnerability. Multiple sources report that this has proven to be an effective solution to the problem.

But as Radocea, Langley and others have pointed out, the problem doesn't just affect iOS devices, but also OS X applications like Mail and Safari. The fact that Apple has only released a solution for mobile devices means computing users may still have to worry about an attack. And Apple may be in a race against the clock to protect its computing customers. According to Reuters, malware criminals are already looking for ways to exploit the vulnerability before Apple can correct it.

But Apple spokeswoman Trudy Muller told Reuters the company has already taken the necessary steps to eliminate the problem.

"We are aware of this issue and already have a software fix that will be released very soon," she said.