Apple Patches OS X and iOS, Yet Unpatched Flaws Remain

Apple patches a gotofail error in SSL that affects both OS X and iOS, but a new logging vulnerability is exposed.

Apple is updating both its Mac OS X desktop operating system and its iOS mobile operating system to fix flaws related to the implementation of Secure Sockets Layer (SSL) encryption. The iOS 7.0.6 update was released by Apple on Feb 21, and the OS X Maverick 10.9.2 update got its release on Feb 25.

The iOS and Mac OS X updates share a critical security flaw identified by the Common Vulnerabilities and Exposures (CVE) number CVE-2014-1266.

"Secure Transport failed to validate the authenticity of the connection," Apple warned in its security advisory. "This issue was addressed by restoring missing validation steps."

Security researcher Adam Langley blogged that the missing validation step was an incorrect use of the "goto fail" statement in the code that validates that a given SSL certificate is in fact valid.

The SSL flaw isn't iOS' only security issue. Research firm FireEye released details of a new and unpatched flaw that also affects iOS devices. The flaw is a background app logging issue that could enable a potential malicious app to collect information without user authorization.

"We have created a proof-of-concept 'monitoring' app on non-jailbroken iOS 7.0.x devices," FireEye noted. "This 'monitoring' app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server."

A FireEye spokesperson confirmed to eWEEK that Apple has been properly notified about the issue and is working on a fix. Apple did not directly respond to a request for comment from eWEEK on the issue.

There is, however, a mitigation iOS users can perform on their own to limit the risk of a malicious background monitoring app.

"The only way for IOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring," FireEye advises.

OS X 10.9.2

While the SSL flaw fix in OS X 10.9.2 is noteworthy because it is identical to the one in iOS, other flaws were also fixed in the OS X update.

Apple is patching its QuickTime media player software in OS X for six separate vulnerabilities that could have exposed users to risk and enabled an attacker to take control of a system.

Simply viewing a maliciously crafted JPEG image file also potentially could have enabled an attack to exploit a Mac OS X user.

"An uninitialized memory access issue existed in libjpeg's handling of JPEG markers, resulting in the disclosure of memory contents," Apple warned in its advisory. "This issue was addressed by better JPEG handling."

Among the other interesting security fixes in the new Mac OS X 10.9.2 update is one for a security flaw in the system clock. The risk was that an unprivileged user could have potentially been able to change the system clock.

"This update changes the behavior of the 'systemsetup' command to require administrator privileges to change the system clock," Apple's advisory stated.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.