23
Nov 11

Apple Took 3+ Years to Fix FinFisher Trojan Hole

facebooktwittergoogle_plusredditpinterestlinkedinmail

The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.

Image: spiegel.de

But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.

The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title: According to Apple, as of June 2011, there were approximately a quarter billion installations of iTunes worldwide.

Apple did not respond to requests for comment. An email sent Wednesday morning to its press team produced an auto-response stating that employees were already on leave for the Thanksgiving holiday in the United States.

I first wrote about this vulnerability for The Washington Post in July 2008, after interviewing Argentinian security researcher Francisco Amato about “Evilgrade,” a devious new penetration testing tool he had developed. The toolkit was designed to let anyone send out bogus automatic update alerts to users of software titles that don’t sign their updates. I described the threat from this toolkit in greater detail:

Why is this a big deal? Imagine that you’re at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team’s sports scores. A few seconds later, some application on your system says there’s a software update available. You approve the update.

You’re hosed.

Or maybe you don’t approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.

Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability:

“The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple,” Amato said of his attack tool.

Emails shared with KrebsOnSecurity show that Amato contacted Apple’s security team on July 11, 2008, to warn them that the iTunes update functionality could be abused to push out malicious software. According to Amato, Apple acknowledged receipt of the report shortly thereafter, but it did not contact him about his findings until Oct. 28, 2011, when it sent an email to confirm his name and title for the purposes of crediting him with reporting the flaw in its iTunes 10.5.1 patch release details. Interestingly, Apple chose to continue to ignore the vulnerability even after Amato shipped a significant feature upgrade to Evilgrade in Oct. 2010.

The length of time Apple took to patch this significant security flaw is notable. In May 2006, I undertook a longitudinal study of how long it took Apple to ship security updates for its products. In that analysis, I looked at two years’ worth of patches issued to fix serious security bugs in Apple’s Mac OS X operating system, as well as other Apple software applications like iTunes. I found that on average, 91 days elapsed between the date that a security researcher alerted Apple to an unpatched flaw and the date Apple shipped a patch to fix the problem. In that study, I examined patch times for four dozen flaws, and the lengthiest patch time in that period was 245 days.

Amato said he’s not sure why Apple took so long to fix his bug, which he said should have been trivial to correct.

“Maybe they forgot about it, or it was just on the bottom of their to-do list,” he said.

Public attention to digital surveillance tools being marketed to law enforcement agencies worldwide is spurring discussion about whether antivirus companies are doing all they can to unmask these intruders. Mikko Hypponen, chief research officer for Finnish security firm F-Secure, first blogged about FinFisher in March 2011, when protesters in Egypt took over the headquarters of the Egyptian State Security and gained access to loads of confidential state documents, including those that appear to show the government purchased licenses for the program.

Hypponen said F-Secure has stated unequivocally that it will detect any malware that it knows about, regardless of whether the malware is being actively used by government authorities for surveillance. But he said not all antivirus companies have made similar public commitments.

“There is no real discussion or industry-wide agreement on it,” Hypponen said. “The way it goes down is that [antivirus] companies have no idea which Trojans they get are governmental Trojans or just the usual stuff. There must be many more governmental Trojans that we and others detect but don’t know are being used for government surveillance.”

As for the years that Apple took to patch the iTunes update flaw, Hypponen said he’s stumped, but inclined to give the company the benefit of the doubt.

“It is an unusually long time to patch anything, so it doesn’t make much sense,” he said.

For more details on FinFisher, see Der Spiegel’s fascinating coverage of how this surveillance Trojan was marketed.

One note of caution about upgrading your software that I hope is clear from this post: Staying up-to-date with the latest security patches is one of the surest ways to keep your system secure from malware and intruders. But whenever possible, try to do your updating from a network that you trust and control. Otherwise, you may be placing far too much trust in the security of the update mechanisms built into the software you use.

Update, 3:11 p.m. ET: An earlier version of this story incorrectly stated that Amato was able to exploit the iTunes update flaw on OS X systems. While Apple’s advisory states that this flaw is present on OS X systems that lack the iTunes 10.5.1 patch, Amato said he was unable to replicate the problem on OS X systems during his research.

Tags: , , , , , , ,

43 comments

  1. Sounds like much ado about nothing. You can use iTunes to open a URL in the user’s default browser. Seems like that’s hardly any different than being MITM’d while just using your default browser.

    • It’s bad because the attack vector subverts an otherwise trusted mechanism. You open iTunes, hit the Check for Updates button. Something responds back saying, “Here’s an update for you, it’s from Apple.” iTunes happily runs the code. The problem is that iTunes didn’t check if it really was from Apple or not. You’d never know something bad just happened.

  2. Since Apple always accuses Microsoft of waiting too long to patch vulnerabilities, this article points to a glaring fact. Apple is just as bad as Microsoft on this subject.

    Emisoft has taken some political flak for removing a German government’s spy program. They say they will never allow any government to take a pass from their anti-malware.

    • JCitizen writes, “Since Apple always accuses Microsoft of waiting too long to patch vulnerabilities…”

      Always? Has Apple EVER accused Microsoft of waiting too long to patch vulnerabilities?

      If JCitizen can find a single Apple press release, or a single public comment from any Apple executive to support his accusation, I’ll make a donation to the charity of his choice.

      If JCitizen can’t cough up the goods, then perhaps he can explain how he came to such a misguided conclusion?

  3. Even in the 1960s, NSA and its military affiliates, ASA, NSG and AFSS, were fully capable of MASSIVE communication and wire intercept. Treaties that prevented host country intercept did not disallow identical intercept from another country, so South Korea could be intercepted from Japan and vice versa.

    Dido with the capabilities set forth in the WSJ video and the YouTube evilgrade video. As was so with rendition of prisoners to circumvent country laws is also especially so on the internet.

  4. Brian

    Besides for F-Secure, would you please share with us the names of other AV providers who have taken the position that they will NOT shield covert ‘spy’ programs from detection.

    • ESET declared it would detect gov malware, when the original Magic Lantern made an appearance 10 years ago. (Scarfo case). I can see AV sigs being co-opted, but won’t HIPS alert on just behavior?

      NN

      • @Norman;

        It is true that a strictly behavior based HIPS would detect it anyway, but there is nothing stopping these companies from putting this kind of spyware in their white list.

        I regularly inspect the white list on my Emisoft solution called Mamutu,, to look for this possibility, but have never found anything that didn’t need to be white listed. White lists are definitely needed for DRM existent in PCs for content protection. Emisoft’s product will detect them also, and stop them from operating. This of course runs counter to the user’s wishes, if they want to consume protected content, so they must unblock these programs to mark them as no longer monitored.

        I like the way Emisoft’s solutions directly identify the .exe file that is being monitored or blocked. I am not affiliated with Emisoft in anyway here FYI.

  5. QUOTE–
    But whenever possible, try to do your updating from a network that you trust and control. –CLOSE QUOTE
    —— Yes, like Secunia Personal Software Inspector (PSI)

  6. Firefox could be prone to similar update problems in the near future.

    http://www.net-security.org/secworld.php?id=11987

  7. SCADA hacks published on Pastebin
    - https://isc.sans.edu/diary.html?storyid=12088
    Last Updated: 2011-11-23 15:50:30 UTC
    .

    • @ PC.Tech,

      With regards the SCADA hack that might or might not have happened.

      It’s been fairly well discussed at,

      http://www.schneier.com/blog/archives/2011/11/hack_against_sc.html

      And. I’ve given a description of how the pump motor could have been burnt out without it actually leaving code or other information to give the DHS investigators at ICS-CERT “proof positive”, not that they actually want to find anything for political reasons.

  8. “As for the years that Apple took to patch the iTunes update flaw, Hypponen said he’s stumped, but inclined to give the company the benefit of the doubt.”

    I’m not. I think that your explanatory update provides sufficient context to understand the tardiness.

    The flaw only affected Windows.

    I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.

    • “I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.”

      Perhaps that’s the actual reason for the slow patch-schedule, but regardless, Apple just proved it’s incapability to deal with security flaws.

      Something like this seriously makes me (re)consider changing my music-player. But re-rating thousands of songs just doesn’t feel tempting.

    • “I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.”

      I’m not sure leaving your users/customers insecure is ever a good reason, whether they’re on your platform or not. While I can see that reasoning occurring, it’s certainly not acceptable justification for Apple’s lateness in response. Besides which, iTunes on Windows is still Apple’s product, so they’re still the ones holding the “insecure” potato.

  9. Every time I think it may be nice to own an Apple product i.e. an ipod touch, the only barrier to this is that I would have to install itunes on my windows pc, this I will not do.

    Nice report Brian.

    P.S. Happy holidays to all you Americans out there.

    • iTunes is no longer needed with iOS 5.

      Per: http://www.apple.com/ios/features.html#pcfree

      “With iOS 5, you no longer need a computer to own an iPad, iPhone, or iPod touch. Activate and set up your device wirelessly, right out of the box. Download free iOS software updates directly on your device. Do more with your apps — like editing your photos or adding new email folders — on your device, without the need for a Mac or PC. And back up and restore your device automatically using iCloud.”

  10. Just imagine: your vendor probably knows of similar holes, reported 2+ years ago, that are still present in your system _right now_.

  11. It obviously wasn’t that big of a deal. Didn’t see a lot of people exploiting it.

  12. Society of Professional Journalists Code of Ethics : “Test the accuracy of information from all sources and exercise care to avoid inadvertent error. Deliberate distortion is never permissible.”

    I find it very telling we have to learn this exploit was PC-only from a commenter. It would appear, Mr. Krebs, you are biased against Apple and now – by weight of evidence – unethical for not revealing that critical information anywhere in your story. It would have provided context that would prove – to one degree or another – that Mac OS X is more secure than Windows, at least when one is discussing malware.

    For that matter, since the discussion is about context, I have to wonder if you have ever audited Microsoft and divined how many days it took them – on average – to fix security ‘holes’, and was it longer or shorter than Apple? This also would have added context and – dare I say it? – balance to a very amateur hit-piece on Apple masquerading as ‘news’.

    I don’t suppose you could be bothered at this point to add even more context and reveal how many active malware threats are currently afflicting each platform, could you? No, something tells me we won’t see this before Hell freezing over unless, of course, it could be reported to Apple’s detriment. I would bet were this the case you would pour all over the story like maple syrup.

    ‘Tis a pity. This could have been a great opportunity to report the truth and full disclosure would have made a so-so article great. As it is, it will always be a mediocre hit-piece on Apple.

    • Pat – I’m going to guess you’re unfamiliar with my previous work on patch times. I’ll address a few of your points in order.

      “I find it very telling we have to learn this exploit was PC-only from a commenter.”

      Maybe you missed this at the bottom of my story, which was added less than an hour after I put the story up (before there were any comments left on the piece):

      “Update, 3:11 p.m. ET: An earlier version of this story incorrectly stated that Amato was able to exploit the iTunes update flaw on OS X systems. While Apple’s advisory states that this flaw is present on OS X systems that lack the iTunes 10.5.1 patch, Amato said he was unable to replicate the problem on OS X systems during his research.”

      As you can see, this is not a PC-only problem, according to Apple.

      You said: “I have to wonder if you have ever audited Microsoft and divined how many days it took them – on average – to fix security ‘holes’, and was it longer or shorter than Apple? ”

      Yes, I have. On several occasions. Allow me to link to a few:

      http://voices.washingtonpost.com/securityfix/2006/01/a_time_to_patch.html

      and

      http://voices.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html

      It’s predictable and common for Apple defenders to point out the flaws in Windows whenever someone publishes a well-documented critique of Apple’s performance or lack thereof on any issue, particularly security. This story isn’t about malware on Mac or malware on Windows. It’s about government Trojans, and Apple’s decision to wait 3+ years to patch this flaw unnecessarily exposed hundreds of millions of computer users — yes, Mac and Windows users — to being spied on.

      • To sum up :

        1. You admit there was information missing from the story for over an hour.
        2. Apple says the flaw exists on Macs, but your security ‘expert’ can’t get it to work.
        3. Somehow you still trust and rely on this ‘expert’ as a source, but you never get around to questioning him on the conflict with Apple.

        But I am willing to let the ethical implications slide for the moment so we can work on your reading comprehension skills. Apple DID NOT state this affected Macs. I quote from the Apple advisory :

        “iTunes 10.5.1
        iTunes

        Available for: Mac OS X v10.5 or later, Windows 7, Vista, XP SP2 or later”

        This is the listing of systems for which the update is available. Period. End of Story. Full stop. But your bias has so blinded you that you didn’t read what was there, did you? To continue :

        “Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If APPLE SOFTWARE UPDATE FOR WINDOWS (emphasis is most certainly mine!) is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.”

        It is most certainly a PC only problem. Why? Because Apple says so, and Apple saying so was good enough for you earlier. Apple specifically says this will only affect PC users who DO NOT have Apple Software Update installed. Based on this information, I charge you with journalistic malpractice and rampaging bias. You DID NOT take this information into account when you insinuated 250 million iTunes users were affected because your biases completely blinded you to all reality. Quite simply, you saw and read exactly what you WANTED to read.

        We now know the number is much, much smaller.

        The above would also explain why your ‘expert’ couldn’t get it to work on a Mac. It wouldn’t work because it can’t work on a Mac, and evidently won’t work on a PC either unless the user did not install Apple Software Update.

        I look forward to a prominent retraction and correction immediately, and an apology for your unwarranted attack on me.

        • “journalistic malpractice and rampaging bias”

          Apology? Correction? Really, Pat? Please. Do everyone here a favor and put down the Apple-flavored Kool Aid and go rage on some other blog.

          • Fine. Then explain why your ‘expert’ cannot get it to work on a Mac and I will leave. If I am wrong, then explain exactly why I am wrong by explaining why your source failed.

            And then explain why you didn’t question him why it failed when – according to you – Apple said it would work.

            And then explain why – all of a sudden – Apple’s word is worthless in your eyes.

            This is why you can’t be taken seriously as a security ‘expert’ yourself. Your credibility is shot because you can’t admit you were wrong, and you can’t admit you didn’t read the security advisory correctly. If you cannot explain why your source failed, then you are an unethical journalist, and your credibility becomes non-existent.

    • Pat, posts and comments like yours makes me understand more about the joke about “Apple religion”, and allows me to laugh even more for it. (I once was a mac user, by these days I hardly ever power up my mac)

  13. “A few seconds later, some application on your system says there’s a software update available. You approve the update.”
    On a Debian GNU Linux based system you’d immediately know that this was wrong since individual applications cannot update themselves. All updates come from signed repositories. Apple has taken a page from the Debian handbook with their Appstore for iOs devices and Microsoft is apparently eying a similar updating mechanism for Windows 8.

    • One big lack with repositories is, that anything which is not made/upkept by a certain core of the distro-community drags badly behind with versions, when comparing what’s available thru repositories versus app developers’ site. And if there’s a mismatch of versions, bug reporting becomes somewhat useless, and getting the latest release-version of the application usually requires a method of installing that is not as straightforward as thru repositories. Some applications actually mention that for getting the latest version, you should visit their website.

      I’ve come into conclusion that for a person who doesn’t bother learning the tricks of the OS, but focuses on the programs he needs to use, Ubuntu (a Linux distro, based on Debian) is not suggestible option. And it’s not an option at all, if said person doesn’t have linux-savvy person as friend, regardless of how free the stuff is.

      And for Ubuntu, if you don’t update the distro twice a year, bug reporting thru the centralized utility (only option in some cases) is generally useless, as you’ll be told to update your distro first.

      Regardless of all that (and much, much more that I haven’t mentioned here), I will keep using Ubuntu for anything that’s not gaming.

      • I would have to argue that is not so much a problem with the repository model as a distro management issue. Should a distro support bleeding edge for software? Should users of version X of a district get pushed up a major revision of the office suite associated with that distro or should they only get patches by default? Most systems, such as yum and apt make it easy to add additional repositories, such as ones that are managed by the software vendor (such as adobe). What they fail to do is make it seamless to do this or add additional repositories such as PPAs.

        We could talk about how to do this all day, the point is this approach can be applied to windows or apple as well. Allow approved vendors to apply for a signed certificate from MS or Apple and let them set up repositories that will be checked by the native OS update client. For example, adobe could install their repository configuration and validate their certificate when you install flash. MS will not have to manage the repo, adobe will.

  14. “I would have to argue that is not so much a problem with the repository model as a distro management issue.”

    I don’t know what’s the core of the problem, but there’s a serious problem, at least on Ubuntu’s side. The repository model itself is great: I hate installing anything outside of it, unless I’m 100% certain about what I’m doing – and then I just don’t like doing so. In worst you just have to put a blind faith on google, because all you have is the app (or library) name.

    “Should a distro support bleeding edge for software?”

    If it’s the latest release version for applications and libraries, then yes.

    “Should users of version X of a district get pushed up a major revision of the office suite associated with that distro or should they only get patches by default?”

    By default, patches, yes. But when the major revision is not available at all, what you’d call that as? (I’m still using Firefox 3.6.x)

    “What they fail to do is make it seamless to do this or add additional repositories such as PPAs.”

    I don’t argue with that.

    “the point is this approach can be applied to windows or apple as well.”

    I agree.

    “For example, adobe could install their repository configuration and validate their certificate when you install flash. MS will not have to manage the repo, adobe will.”

    Would very efficiently null the need for “Adobe Download Manager”-crap, and such.

    Most broken the repository model goes, when an application cannot be installed because a library (or worse, libraries) it relies on is too old in the repository. A formidable reason why I abandoned FreeBSD long ago. Imagine a person who’s used to GUI (thru Mac) trying to install an application in CLI environment, only to find out that he’d need to manually locate and install several libraries, because those available in repositories are too old. In worst cases, some libraries were not available anymore at all. On Ubuntu as well, I’ve few times ran to that “too old version” problem. On Mac (again, years ago), I gave up with the macport[name?] stuff immediately because an attempt to install an application, which required a huge list of (small) libraries to be installed first, gave painsaking list of “source not found” errors.

  15. I dunno if it has been reported in the comments, but you should be aware that the finfisher injection tools exist also at the “isp level”, so it can make the injection in updates from the “network you trust”.

    The tool is FinFly ISP.

    See about FinFisher, this article from owni.fr (french) and the wikileaks files that were released recently : http://owni.fr/2011/12/12/finfisher-cheval-de-troie-gros-requin-intrusion-surveillance/