This week has been a terrible week for computer security. As a quick primer, there is a technology called TLS. Many will recognize it as “HTTPS”, and it is the protocol that is used to encrypt almost all traffic on the Internet. It is a critical part of the Internet infrastructure. It provides security for banks, Google, and just about any website that has password login. Within mere days of each other, two vulnerabilities in TLS were discovered in Apple and Linux, respectively. The Apple vulnerability affects both iOS and OS X. Both issues have already been patched and fixed, but both left systems massively vulnerable to attack, and it is suspected that the Linux vulnerability may have existed for the past decade without being noticed. This is a major problem and it demonstrates that computer security is a never-ending process of finding flaws and fixing them.
Apple’s vulnerability was the first to be discovered. Apple issued an update for iOS that listed the issue. The vulnerability opened up iOS and OS X users to a “man in the middle” attack, which is when a malicious attacker intercepts information sent between a user and a website, and alters that information in trying to trick the user. The bug was only introduced in OS X 10.9, so only Apple computers with Mavericks or later has the issue. Apparently the issue was caused by programmer error, where Apple developers accidentally wrote an extra line of code that caused the security-critical code to misbehave. Fortunately, the latest version of iOS is no longer vulnerable and an update for OS X was issued just a few days ago as well.
Despite the severity of the Apple bug, it pales in comparison to the Linux bug. Specifically, the Linux bug was found in a piece of software called GnuTLS, which is the TLS implementation used by hundreds of Linux and Linux-based operating systems across the world. Like the Apple vulnerability, this was also caused by programmer error, and has since been patched and fixed in a security update to the software. The difference, however, is that this bug affects many more computers than the Apple bug. Linux is used by thousands of computers, mostly servers. In addition, unlike the Apple bug, which was introduced in OS X 10.9, it is suspected that the Linux vulnerability has been around since 2005. That means most of the computers on the Internet have had a major security vulnerability for almost the past ten years.
It is extremely coincidental that both of these vulnerabilities popped up within days of each other, especially given the severity of both cases. It is recommended that all Linux and Apple users immediately update their devices. Real world exploits and attacks have already been demonstrated and published online, so any users who do not update soon will be extremely vulnerable.
Be First to Comment