Tag Archives: apple

WPA2 KRACK Vulnerability: What you need to know

Last Sunday, the early signs of a vulnerability disclosure affecting the extensively used Wi-Fi protected access (WPA2) protocol were evident. The next day, disclosure of the vulnerability lead to more details. The vulnerability was discovered by  two researchers Mathy Vanhoef and Frank Piessens of the Katholieke Universiteit Leuven (KU Leuven) while examining OpenBSD’s implementation of the WPA2 four way handshake.

Why should this vulnerability be considered important?
On Monday 16th October, the KRACK (key re-installation attacks) vulnerability was disclosed. This vulnerability was found within the implementation of the WPA2 protocol rather than any single device making it’s impact much more widespread. For example, vulnerable devices include Windows, OpenBSD (if not already patched against it), Linux, Apple iOS, Apple macOS and Google Android.

If exploited this vulnerability could allow decryption, packet replay, TCP connection hijacking and if WPA-TKIP (defined) or GCMP (explained) are used; the attacker can inject packets (defined) into a victim’s data, forging web traffic.

How can an attacker exploit this vulnerability?
To exploit the vulnerability an attacker must be within range of a vulnerable Wi-Fi network in order to perform a man in the middle attack (MiTM)(defined). This means that this vulnerability cannot be exploited over the Internet.

This vulnerability occurs since the initial four way handshake is used to generate a strong and unique key to encrypt the traffic between wireless devices. A handshake is used to authenticate two entities (in this example a wireless router and a wireless device wishing to connect to it) and to establish the a new key used to communicate.

The attacker needs to manipulate the key exchange (described below) by replaying cryptographic handshake messages (which blocks the message reaching the client device) causing it to be re-sent during the third step of the four way handshake. This is allowed since wireless communication is not 100% reliable e.g. a data packet could be lost or dropped and the router will re-send the third part of the handshake. This is allowed to occur multiple times if necessary. Each time the handshake is re-sent the attacker can use it to gather how cryptographic nonces (defined here and here) are created (since replay counters and nonces are reset) and use this to undermine the entire encryption scheme.

How can I protect myself from this vulnerability?
AS described in this CERT knowledge base article.; updates from vendors will be released in the coming days and weeks. Apple (currently a beta update) and Microsoft already have updates available. OpenBSD also resolved this issue before the disclosure this week.

Microsoft within the information they published for the vulnerability discusses how when a Windows device enters a low power state the vulnerable functionality of the wireless connection is passed to the underlying Wi-Fi hardware. For this reason they recommend contacting the vendor of that Wi-Fi hardware to request updated drivers (defined).

Links to affected hardware vendors are available from this ICASI Multi-Vendor Vulnerability Disclosure statement. Intel’ security advisory with relevant driver updates is here. The wireless vendor, Edimax also posted a statement with further updates to follow. A detailed but easy to use list of many vendors responses is here. Since I use an Asus router, the best response I could locate is here.

======
Update: 21st October 2017:
Cisco have published a security advisory relating to the KRACK vulnerability for its wireless products. At the time of writing no patches were available but the advisory does contain a workaround for some of the affected products.
======

The above updates are software fixes but updates will also be made available for devices in the form of firmware updates e.g. for wireless routers, smartphones and Internet of Things (IoT)(defined) devices. For any wireless devices you own, please check with the manufacturer/vendor for available updates with the above CERT article and vendor response list detailing many of the common vendors.

Thank you.

Proton Trojan targeting Apple macOS discovered

Earlier this month Sixgill, a cyber intelligence company provided information on a recently discovered trojan for Apple macOS systems. It is being sold on the underground Russian cybercrime forums and acts as a remote administration tool (RAT)(defined). It sells under the name of Proton for 100 Bitcoin (more than USD$100,000) but now allows unlimited installations for 40 Bitcoin or a single installation for 2 Bitcoin.

Since the trojan is a RAT (discussed above) it allows an attacker to have full control of a victim’s system which includes controlling file uploads and downloads, monitoring keyboard presses, taking screenshots and webcam surveillance.

Sixgill theorizes the trojans developers bypassed/worked around Apple’s Developer ID program allowing this “application” to appear harmless while possibly exploiting an unknown zero day vulnerability (defined) within macOS to root privileges (defined) over the victim system.

How can I protect myself from this malware?
Since the trojan allows full control of an over an infected system, this will complicate removal since the attackers could easily attempt to resist or undo removal actions. Malwarebytes state this trojan is not in widespread use and they have been unable so far to obtain a sample of it. Moreover, VirusTotal did not have a sample to provide to them.

Apple added detections for this trojan to their XProtect (defined) anti-malware security feature; however as detailed in this TechRepublic article the trojans creators can easily modify it to avoid Apple’s signatures.

Further information on this trojan is available in this Softpedia article. TechRepublic provides a detailed list of recommendations within their article to prevent infection by this threat.

Thank you.

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    =======================
    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later
    =======================

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    =======================
    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    =======================
    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

Apple Releases Xcode Security Update

In early May Apple made available a security update for their Xcode development tool bringing it to version 7.3.1. This updates resolves 1 critical severity issue assigned to 2 CVEs (defined).

This heap based (the concept of a heap is defined here) buffer overflow (defined) issue was addressed by updating Xcode’s built in Git (a convenient version control system used for software development) to version 2.7.4. This issue was caused by the mishandling of filenames. Further technical details are available here.

As always, full details of all of these updates are provided on Apple’s Security Updates page. Further release notes are available here.

If you make use of Apple Xcode, please install the appropriate update as soon as possible. For advice on how to install Apple updates, please see the resources available on the “Protecting Your PC” page of this page (in this context PC is being used in the general sense of a personal computer and does not in this case refer to a computer using a Microsoft operating system).

Thank you.

Apple Ends of Support for Quicktime for Windows

Last week Apple indirectly announced that it would be no longer providing support or security updates for their QuickTime player when installed on Microsoft Windows. Please note that QuickTime for Mac OS X is not affected by this change.

Why Should This Change Be Considered Important?
The recent public disclosure of 2 critical security vulnerabilities (detailed here and here) means that QuickTime is currently vulnerable to these issues and will remain that way. These issues were originally responsibly disclosed (defined) to Apple in late 2015. Apple after carrying out a decision making process has concluded that security updates and support for QuickTime on Windows should now be withdrawn. This appears to be due their decision to withdraw this product from their future roadmap (as shown in the ZDI security advisories linked to above).

How Can I Protect Myself From These Newly Disclosed Issues and in the Future?

As recommend by US-CERT as well as Trend Micro and within this InfoWorld article the only certain way to protect yourself from these newly disclosed vulnerabilities is to uninstall QuickTime for Windows.

The above recommendation will also serve to protect you going forward since software that you don’t have installed cannot be exploited (provided there are no remnants/leftovers after uninstalling).

I use QuickTime for Windows for Essential Workflows or Business Purposes, What Can I Use Going Forward?
As detailed in the previously linked to Trend Micro blog post, alternatives such as K-Lite Media Codec pack, QT Lite and Media Player Classic are available as alternatives. If you use QuickTime as a media player only, you could consider the open-source (defined: the source code (human readable code) is free to view and edit by the wider IT community) VideoLAN VLC Player.

Alternatively if none of the above QuickTime substitutes meet your specific needs you could consider installing the most recent version of QuickTime (version 7.7.9) onto a supported version of Windows and then air-gapping that PC. The concept of air-gapping is discussed in-depth in a previous blog post. But as discussed in that post, this approach is not without disadvantages and isn’t 100% safe.

If These Issues Are So Serious Why Is Apple QuickTime For Windows Still Available To Download?
As discussed above QuickTime has many varied uses and simply withdrawing it from the download page would have been even more inconvenient.

In addition, Apple did not publish a timeline in advance for phasing out QuickTime and possibly for this reason it remains available so as not to inconvenience existing users. This also allows anybody using any version prior to 7.7.9 to update to the most recent version to protect against previously resolved vulnerabilities.

==========
I hope that this information is useful to you as you gradually transition from QuickTime for Windows in order to avoid possible exposure to the above mentioned vulnerabilities as well as future vulnerabilities that may be discovered.

Thank you.

Apple Releases Security Update for iBooks Author App

Yesterday Apple made available a security update for their iBooks Author App bringing it to version 2.4.1. Full details of this update are available from Apple’s support page for this update. The update addresses an information disclosure issue (in this instance revealing details of the logged in user) that could be exploited by an attacker if you open a specifically crafted iBook Author file.

Since this app is available from Apple’s App Store you should receive a notification to update this app as discussed here. The App Store also offers the ability to automatically install updates (as detailed at the end of the page just linked to). Alternatively, the updated app is available from this page.

If you use and/or have this app installed, please install the update mentioned above to address this security issue as soon as possible.

Thank you.

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:

=======================

  • Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple tvOS 9.2: For Apple TV (4th generation)
  • Apple Xcode 7.3: For OS X El Capitan v10.11 and later
  • Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
  • Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
  • Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.
=======================

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

=======================
Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.