My next class:

Apple Updates (not just Yosemite)

Published: 2014-10-17. Last Updated: 2014-10-17 12:42:04 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Apple yesterday released the latest version of its operating system, OS X 10.10 Yosemite. As usual, the new version of the operating system does include a number of security related bug fixes, and Apple released these fixes for older versions of OS X today.

This update, Security Update 2014-005 is available for versions of OS X back to 10.8.5 (Mountain Lion). 

Among the long list of fixes, here a couple of highlights:

Apple doesn't turn off SSLv3 in this release, but restricts it to non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST. The list of trusted certificate authorities has also been updates [2]

802.1x no longer supports LEAP by default due to weaknesses in this authentication method.

The bash fix, that was released as a standalone fix earlier to counter "Shellshock", is included in this update.

An arbitrary code execution vulnerability in CUPS was fixed. (CVE-2014-3537)

And a quick note about OS 10.10 Yosemite:

After installing it, all security relevant settings I checked where untouched (good!). Among security relevant software, GPGMail will not work with Yosemite yet, but according to the developers, a fix is in the work and may be release in a few weeks, but GPGMail may no longer be free. If you rely on software that you compiled with MacPorts: Wait for the release of XCode 6.1, as it is required to recompile the software for OS X 10.10. In general, it is adviced that you FIRST update all your software and then upgrade to Yosemite. Little Snitch, another popular piece of security software for OS X, works well with Yosemite, but I recommend you turn off the network filter during the upgrade (it works with it enabled, but you need to approve a lot of new connections from new software).

[1] http://support.apple.com/kb/HT1222
[2] http://support.apple.com/kb/HT6005

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

3 comment(s)
My next class:

Comments

You should note that the Security Update 2014-005 for Mavericks and Mountain Lion only fixes the Shellshock and POODLE bugs. The other 43 vulnerabilities fixed in Yosemite go unpatched in those earlier versions.

And there are many patches for iTunes and OS X Server. See http://www.zdnet.com/apple-patches-144-security-flaws-across-seven-products-7000034791/
I enable inbound ssh on my Mac. My sshd_config was moved aside in favor of a vanilla version. How vanilla? It permits root logins, vanilla.
Johannes Ullrich wrote:
> Apple doesn't turn off SSLv3 in this release, but restricts it to
> non-CBC ciphers, limiting its exposure to attacks like POODLE and BEAST.

Not taking into account useless SSLv3 cipher suites, AFAIK that leaves:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA

Concerns regarding the security of RC4 have existed since 1995 (see http://en.wikipedia.org/wiki/RC4#Roos.27_biases_and_key_reconstruction_from_permutation )

On 2013-03-13 RC4 was broken, "Royal Holloway attack" (see http://www.isg.rhul.ac.uk/tls/ )
To be honest, particularly on slow network connections, the described attack could cause significant delays. However, networks get faster and faster and people might not associate delays with attacks (M2M connections are another story).

On 2013-11-06 Jacob Appelbaum wrote:
> RC4 is broken in real time by the NSA - stop using it.
(see https://twitter.com/ioerror/status/398059565947699200 )
As we all know, NSA is having some problems keeping secrets, so knowledge beyond the "Royal Holloway attack" might as well be in the hands of unfriendly nations and/or cyber criminals.

On 20140422 Alyssa Rowan points out that using RC4 implies no forward secrecy:
> And of course, any break in RC4 will be retroactively applicable
> to data collected now.
(see https://bugzilla.mozilla.org/show_bug.cgi?id=999544#c0 )

This week, in relation to the Poodle attack, Ivan Ristic wrote about RC4:
> In the short term, it's possible to mitigate POODLE by avoiding using
> CBC suites with SSL 3, but that involves relying on a certain insecure
> stream cipher whose name no one wants to mention. I don't recommend
> this approach.
(see https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack )

What makes matters worse is that many public and important https servers (at least in the Netherlands) still support RC4. Which wouldn't be too bad - if these servers didn't promote the use of RC4 in their preferred cipher suite. Which results in the fact that, even while using the latest web browser, one ends up using RC4-encrypted connections.

Diary Archives