While the world’s focus on Apple today might be on the release of
its new streaming music service, the company also pushed out a host of security fixes for exploits, flaws, and—shall we say—politically difficult situations of the last few months. iOS 8.4 and OS X 10.10.4 should make users safer, pending testing by outside researchers.
You can find the full list of security issues on pages for
iOS 8.4 and
OS X 10.10.4, which also includes items in Security Update 2015-005 for older OS X releases.
EFI update patch fixed
In June, a researcher revealed a problem with Apple’s version of EFI (Extensible Firmware Interface), the bootstrapping software—like BIOS once was for PCs—that activates on power-up or restart to perform hardware tests and then loads the operating system. On awaking his Mac from sleep, the researcher found he could
potentially modify the EFI firmware, which is otherwise cryptographically protected. The modified firmware could carry out all sorts of insidious behavior and evade detection and easy removal.
The researcher said he believed this affected Macs made only in mid-2014 or earlier, and that it was possible Apple had fixed it in newer models. Apple’s
Mac EFI Security Update 2015-001 is available for Mountain Lion (10.8.5) and Mavericks (10.9.5) as well as Yosemite. Specific models aren’t noted, and Yosemite can run on
some Mac models released as far back as 2007, so the update would be required on older Macs even if newer hardware had improved firmware.
The update also mitigates the
Rowhammer bug, in which malware could compromise the integrity of values stored in DRAM, and gain access to all memory and thus take over a system. Apple solved the problem through the relatively obscure matter of increasing the rate at which
memory is refreshed.
According to Net Applications, about 14 percent of Macs in April 2015 were using a version of OS X older than Mountain Lion. While that’s still millions of Macs, the number is declining every day, and it’s unlikely attackers would focus on a smaller and shrinking user base, especially one that requires carefully crafted and remotely delivered malware or physical proximity to a computer.
Mail’s refresh ability
A seeming bug in iOS’s Mail app allowed a specially crafted HTML message to force Mail to load an arbitrary Internet-hosted webpage. While Mail filters many kinds of behavior, a researcher found that it didn’t restrict the use of a “refresh” command in a Meta tag used in the header portion of an HTML email. This led to a proof-of-concept in which an email message pulled in a page that
displayed a formatted prompt that looked like an iCloud login.
Apple acknowledged this at the time as something it would fix in the future, although it said it hadn’t had any accounts of phishing that relied on this approach. The ability to refresh a mail message has been removed in both iOS 8.4 and in the Yosemite 10.10.4 update.
The tricky issue of a Chinese certificate authority
In March, Google revealed that CNNIC, a Chinese agency that handles the root .cn domain and acts as a certificate authority (CA) for issuing digital credentials for secure web connections,
had violated the rules for CAs included in the root trust stores of the major operating system makers and browsers. Its action, in short, allowed a third party to create certificates that would let it spoof any secure website in the world. Fortunately, Google and others monitor for this, and an alarm went off.
Google and Mozilla, the makers of the Firefox browser, quickly reacted. CNNIC was kicked out of the trusted list of CAs for Android, Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird. Microsoft removed only the certificate issued by CNNIC against the rules. Apple to date had done nothing. I noted in late April that Apple and Microsoft’s extensive dealings in China may have
lead to an uncomfortable situation that put Apple at odds with its commitment to customer security and privacy.
In today’s OS X and iOS updates, Apple remedies this problem. While it downplays CNNIC’s behavior—“an intermediate certificate was incorrectly issued by the certificate authority CNNIC”—it’s added a new mechanism called the “security partial trust allow list.” This lets Apple only accept a subset of certificates from a given certificate authority, rather than all certificates that the CA signed off on.
Apple’s revised Trust Store, its set of trusted root CAs, now excludes certificates that CNNIC produced after its “incorrect” event. By disallowing only newer certificates, Apple prevents its Chinese customers and those connecting to Chinese sites from outside the country from receiving security error messages. Sites backed by newly issued certificates will now fail in Firefox, Android, Chrome, and Safari browsers, but not Internet Explorer, according to Microsoft’s last actions.
(I’ll have more details on this, the Trust Store webpages, and what you can do in OS X in this week’s Private I column.)
Downgraded encryption keys
Apple also patched an obscure but problematic encryption issue known for months in which a malicious party that could insert itself into a connection and intercept a secure negotiation for an encryption session—for email and websites typically—could force a browser or server to downgrade to an outdated encryption algorithm that can be broken.
This attack, called
Logjam, can be fixed on either side of a connection: either with improved browsers and email clients or, in the case of Apple, improved core software (coreTLS, in this case) that handles encryption; or with upgrades to servers.
While websites have been fixing their end, Apple removes this vulnerability from hundreds of millions of devices and computers at one go.
It’s not surprising that this release coming so close on the heels of the
inter-application exploits disclosed June 17 lacks any fixes for them, but Apple said that it had already closed down some behavior on the server side.
The exploits also require the ability to submit malicious software to the App Store, which Apple is obviously now scanning for. A future update will conceivably address the flaws more comprehensively.