apple_update

Apple continues to obfuscate security concerns by releasing vague statements about critical updates to both its mobile and desktop operating systems.

The company issued an update to its mobile operating system on Friday to fix a problem that might have allowed attackers to intercept data sent from its smartphones and tablets to the Web. The vulnerability was caused by a faulty implementation of a decades-old security standard that went unfixed for roughly 18 months. Instead of explaining the issue in terms consumers might understand, Apple used arcane language sure to confound its customers.

Johns Hopkins University cryptography professor Matthew Green had no difficulty explaining the extent of the problem. “It’s as bad as you could imagine,” he told Reuters. “That’s all I can say.” That’s much clearer than Apple’s explanation, which said that “an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

It gets worse. The update to Apple’s desktop computers and laptops doesn’t mention the vulnerability at the top of its list of changes made to the operating system. Users must scroll past fixes to non-critical problems to learn that the update “provides a fix for SSL connection verification.” (Slate notes that most consumers probably won’t even bother to read the entire list of changes and simply install the latest update without question.)

Considering the extent to which this vulnerability has been identified as a prime concern for consumers, Apple’s unwillingness to clearly explain the issue to its customers is irresponsible. Its attempt to assuage concerns among its business customers by releasing a document describing its mobile operating system’s security measures, which must protect financial information, digital communications, and fingerprints from prying eyes, is laughable. It would be difficult to trust future claims that its products are safer than competitive offerings.

Reactions from around the Web

The Globe and Mail explains why consumers should be concerned about the security of essentially any information they’ve sent through Apple’s products, even though attacks based on vulnerabilities like this one are rare:

On a large scale, man-in-the-middle attacks are hard to pull off. What’s more likely is a localized attacker compromising the router at your home, or at a restaurant or bar. As such, the likelihood that your data was captured over the past 18 months is slim – but all bets are off now that the exploit is more widely known.

Proof-of-concept attacks already exist, in fact. There is still some cause for alarm. So update your Apple devices, and as always, exercise common sense. Wireless networks – and the devices we use to connect to them – are rarely as secure as we believe them to be.

Slate’s David Auerbach highlights the sheer stupidity that enabled the vulnerability:

Aside from its severity, though, this bug has another extraordinary quality: It’s extremely simple. (Simple enough that the bug is already on a T-shirt.) Stupid, even. Ninety-nine percent of the time, these sorts of stupid mistakes aren’t that damaging. But that 1 percent of the time, the gods won’t save you.

Stilgherrian, a freelance technology journalist, notes that the problem extends far beyond this particular vulnerability:

The apparent lack of communication between the iOS and OS X teams is bad enough. But what’s far more worrying is how such a serious error could have escaped detection — let’s skip the more tinfoil-oriented explanation that it was a deliberate “mistake” to help the NSA, and a programming error gives Apple plausible deniability — and how the impact of the error is magnified by Apple’s complete lack of transparency when it comes to security issues.

[...]

Nothing must tarnish the image of Apple’s pretty, pretty garden, even if beneath the surface it’s rotten. Or poisoned.

Pando weighs in

I wrote about the vulnerability on Monday and explained that Apple’s unwillingness to be honest with its customers is worsened by the sheer amount of data with which its users entrust the company:

Apple shouldn’t be given a pass for this easily-avoided vulnerability any more than WhatsApp should be heralded as a paragon of privacy despite its own inability to implement basic security measures. These companies are affecting hundreds of millions of people who are using their products to send personal messages, access their financial information, and otherwise interact with the digital world. Lying about those products’ security, whether it’s outright or through arcane language, isn’t something to ignore.

Apple gives security the finger,” indeed.

[Image courtesy OAndrews]