Subscribe to RSS
Follow me on Twitter
Join me on Facebook
The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.
Image: spiegel.de
But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.
The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title: According to Apple, as of June 2011, there were approximately a quarter billion installations of iTunes worldwide.
Apple did not respond to requests for comment. An email sent Wednesday morning to its press team produced an auto-response stating that employees were already on leave for the Thanksgiving holiday in the United States.
I first wrote about this vulnerability for The Washington Post in July 2008, after interviewing Argentinian security researcher Francisco Amato about “Evilgrade,” a devious new penetration testing tool he had developed. The toolkit was designed to let anyone send out bogus automatic update alerts to users of software titles that don’t sign their updates. I described the threat from this toolkit in greater detail:
Why is this a big deal? Imagine that you’re at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team’s sports scores. A few seconds later, some application on your system says there’s a software update available. You approve the update.
You’re hosed.
Or maybe you don’t approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.
Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability:
“The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple,” Amato said of his attack tool.
Emails shared with KrebsOnSecurity show that Amato contacted Apple’s security team on July 11, 2008, to warn them that the iTunes update functionality could be abused to push out malicious software. According to Amato, Apple acknowledged receipt of the report shortly thereafter, but it did not contact him about his findings until Oct. 28, 2011, when it sent an email to confirm his name and title for the purposes of crediting him with reporting the flaw in its iTunes 10.5.1 patch release details. Interestingly, Apple chose to continue to ignore the vulnerability even after Amato shipped a significant feature upgrade to Evilgrade in Oct. 2010.
The length of time Apple took to patch this significant security flaw is notable. In May 2006, I undertook a longitudinal study of how long it took Apple to ship security updates for its products. In that analysis, I looked at two years’ worth of patches issued to fix serious security bugs in Apple’s Mac OS X operating system, as well as other Apple software applications like iTunes. I found that on average, 91 days elapsed between the date that a security researcher alerted Apple to an unpatched flaw and the date Apple shipped a patch to fix the problem. In that study, I examined patch times for four dozen flaws, and the lengthiest patch time in that period was 245 days.
Amato said he’s not sure why Apple took so long to fix his bug, which he said should have been trivial to correct.
“Maybe they forgot about it, or it was just on the bottom of their to-do list,” he said.
Public attention to digital surveillance tools being marketed to law enforcement agencies worldwide is spurring discussion about whether antivirus companies are doing all they can to unmask these intruders. Mikko Hypponen, chief research officer for Finnish security firm F-Secure, first blogged about FinFisher in March 2011, when protesters in Egypt took over the headquarters of the Egyptian State Security and gained access to loads of confidential state documents, including those that appear to show the government purchased licenses for the program.
Hypponen said F-Secure has stated unequivocally that it will detect any malware that it knows about, regardless of whether the malware is being actively used by government authorities for surveillance. But he said not all antivirus companies have made similar public commitments.
“There is no real discussion or industry-wide agreement on it,” Hypponen said. “The way it goes down is that [antivirus] companies have no idea which Trojans they get are governmental Trojans or just the usual stuff. There must be many more governmental Trojans that we and others detect but don’t know are being used for government surveillance.”
As for the years that Apple took to patch the iTunes update flaw, Hypponen said he’s stumped, but inclined to give the company the benefit of the doubt.
“It is an unusually long time to patch anything, so it doesn’t make much sense,” he said.
For more details on FinFisher, see Der Spiegel’s fascinating coverage of how this surveillance Trojan was marketed.
One note of caution about upgrading your software that I hope is clear from this post: Staying up-to-date with the latest security patches is one of the surest ways to keep your system secure from malware and intruders. But whenever possible, try to do your updating from a network that you trust and control. Otherwise, you may be placing far too much trust in the security of the update mechanisms built into the software you use.
Update, 3:11 p.m. ET: An earlier version of this story incorrectly stated that Amato was able to exploit the iTunes update flaw on OS X systems. While Apple’s advisory states that this flaw is present on OS X systems that lack the iTunes 10.5.1 patch, Amato said he was unable to replicate the problem on OS X systems during his research.
Related posts:
- Critical Security Updates from Microsoft, Apple
- Apple’s i-Patches Fix Critical iOS Flaws
- Apple Patch Catchup
- Apple QuickTime Patch Fixes 15 Flaws
- Microsoft, Apple Ship Big Security Updates
Tags: apple, EvilGrade, f-secure, FinFisher, Franciso Amato, itunes, Spiegel.de, Wall Street Journal
Hidden due to low comment rating. Click here to see.
It’s bad because the attack vector subverts an otherwise trusted mechanism. You open iTunes, hit the Check for Updates button. Something responds back saying, “Here’s an update for you, it’s from Apple.” iTunes happily runs the code. The problem is that iTunes didn’t check if it really was from Apple or not. You’d never know something bad just happened.
Since Apple always accuses Microsoft of waiting too long to patch vulnerabilities, this article points to a glaring fact. Apple is just as bad as Microsoft on this subject.
Emisoft has taken some political flak for removing a German government’s spy program. They say they will never allow any government to take a pass from their anti-malware.
Hidden due to low comment rating. Click here to see.
Anyone that can’t read the wide band of criticism from Apple’s advertisements, of Microsoft’s security problems; may have trouble gleaning any inference from today’s media.
Hidden due to low comment rating. Click here to see.
Wow! You watch TV?! I figured you for a kinda IT guy! Apple commercials are omnipresent on the web.
I do everything on the web myself. I think TV is dying fast!
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Okay – this is just ONE of the ads.
http://brajeshwar.com/2011/microsoft-oops-we-did-it-again-6-more-critical-security-vulnerabilities/
I’ll take your apology now.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Regarding the debate of you two, I think it’s irrelevant what’s the original media or how old it is, as long as it’s an advertisement made by Apple.
But true is, that the latest linked ad itself does not in any way mention about the speed for the fixes, but it does mock the amount of the flaws, and especially, it mocks the way to handle them.
Even in the 1960s, NSA and its military affiliates, ASA, NSG and AFSS, were fully capable of MASSIVE communication and wire intercept. Treaties that prevented host country intercept did not disallow identical intercept from another country, so South Korea could be intercepted from Japan and vice versa.
Dido with the capabilities set forth in the WSJ video and the YouTube evilgrade video. As was so with rendition of prisoners to circumvent country laws is also especially so on the internet.
Brian
Besides for F-Secure, would you please share with us the names of other AV providers who have taken the position that they will NOT shield covert ‘spy’ programs from detection.
ESET declared it would detect gov malware, when the original Magic Lantern made an appearance 10 years ago. (Scarfo case). I can see AV sigs being co-opted, but won’t HIPS alert on just behavior?
NN
@Norman;
It is true that a strictly behavior based HIPS would detect it anyway, but there is nothing stopping these companies from putting this kind of spyware in their white list.
I regularly inspect the white list on my Emisoft solution called Mamutu,, to look for this possibility, but have never found anything that didn’t need to be white listed. White lists are definitely needed for DRM existent in PCs for content protection. Emisoft’s product will detect them also, and stop them from operating. This of course runs counter to the user’s wishes, if they want to consume protected content, so they must unblock these programs to mark them as no longer monitored.
I like the way Emisoft’s solutions directly identify the .exe file that is being monitored or blocked. I am not affiliated with Emisoft in anyway here FYI.
QUOTE–
But whenever possible, try to do your updating from a network that you trust and control. –CLOSE QUOTE
—— Yes, like Secunia Personal Software Inspector (PSI)
Firefox could be prone to similar update problems in the near future.
http://www.net-security.org/secworld.php?id=11987
Doesn’t Google Chrome do something similar already?
SCADA hacks published on Pastebin
- https://isc.sans.edu/diary.html?storyid=12088
Last Updated: 2011-11-23 15:50:30 UTC
.
@ PC.Tech,
With regards the SCADA hack that might or might not have happened.
It’s been fairly well discussed at,
http://www.schneier.com/blog/archives/2011/11/hack_against_sc.html
And. I’ve given a description of how the pump motor could have been burnt out without it actually leaving code or other information to give the DHS investigators at ICS-CERT “proof positive”, not that they actually want to find anything for political reasons.
“As for the years that Apple took to patch the iTunes update flaw, Hypponen said he’s stumped, but inclined to give the company the benefit of the doubt.”
I’m not. I think that your explanatory update provides sufficient context to understand the tardiness.
The flaw only affected Windows.
I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.
“I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.”
Perhaps that’s the actual reason for the slow patch-schedule, but regardless, Apple just proved it’s incapability to deal with security flaws.
Something like this seriously makes me (re)consider changing my music-player. But re-rating thousands of songs just doesn’t feel tempting.
Ps. Brian, I sent you a message thru the About. I hope it’ll reach you.
“I find it easy to believe that a bug which indirectly made a rival’s product more vulnerable to exploit would be assigned the lowest priority.”
I’m not sure leaving your users/customers insecure is ever a good reason, whether they’re on your platform or not. While I can see that reasoning occurring, it’s certainly not acceptable justification for Apple’s lateness in response. Besides which, iTunes on Windows is still Apple’s product, so they’re still the ones holding the “insecure” potato.
Every time I think it may be nice to own an Apple product i.e. an ipod touch, the only barrier to this is that I would have to install itunes on my windows pc, this I will not do.
Nice report Brian.
P.S. Happy holidays to all you Americans out there.
iTunes is no longer needed with iOS 5.
Per: http://www.apple.com/ios/features.html#pcfree
“With iOS 5, you no longer need a computer to own an iPad, iPhone, or iPod touch. Activate and set up your device wirelessly, right out of the box. Download free iOS software updates directly on your device. Do more with your apps — like editing your photos or adding new email folders — on your device, without the need for a Mac or PC. And back up and restore your device automatically using iCloud.”
Just imagine: your vendor probably knows of similar holes, reported 2+ years ago, that are still present in your system _right now_.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Pat – I’m going to guess you’re unfamiliar with my previous work on patch times. I’ll address a few of your points in order.
“I find it very telling we have to learn this exploit was PC-only from a commenter.”
Maybe you missed this at the bottom of my story, which was added less than an hour after I put the story up (before there were any comments left on the piece):
“Update, 3:11 p.m. ET: An earlier version of this story incorrectly stated that Amato was able to exploit the iTunes update flaw on OS X systems. While Apple’s advisory states that this flaw is present on OS X systems that lack the iTunes 10.5.1 patch, Amato said he was unable to replicate the problem on OS X systems during his research.”
As you can see, this is not a PC-only problem, according to Apple.
You said: “I have to wonder if you have ever audited Microsoft and divined how many days it took them – on average – to fix security ‘holes’, and was it longer or shorter than Apple? ”
Yes, I have. On several occasions. Allow me to link to a few:
http://voices.washingtonpost.com/securityfix/2006/01/a_time_to_patch.html
and
http://voices.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html
It’s predictable and common for Apple defenders to point out the flaws in Windows whenever someone publishes a well-documented critique of Apple’s performance or lack thereof on any issue, particularly security. This story isn’t about malware on Mac or malware on Windows. It’s about government Trojans, and Apple’s decision to wait 3+ years to patch this flaw unnecessarily exposed hundreds of millions of computer users — yes, Mac and Windows users — to being spied on.
Hidden due to low comment rating. Click here to see.
“journalistic malpractice and rampaging bias”
Apology? Correction? Really, Pat? Please. Do everyone here a favor and put down the Apple-flavored Kool Aid and go rage on some other blog.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
at the risk of feeding the troll…
Krebs’s reporting was picked up by lots of legitimate news sites, including the Telegraph.co.uk, the Daily Mail, ZDnet (syndicated by NYT), to name a few.
https://news.google.com/news/more?hl=en&gl=us&q=brian+krebs&gs_upl=626l2270l0l2349l20l8l0l1l1l0l247l926l0.3.2l7l0&um=1&ie=UTF-8&ncl=dT5CjX7ulj7LY2M9hlMkzfJ3V9QHM&ei=SJ_XTt6nKsXIgQeA6KyLDw&sa=X&oi=news_result&ct=more-results&resnum=7&ved=0CFQQqgIwBg
Pat, posts and comments like yours makes me understand more about the joke about “Apple religion”, and allows me to laugh even more for it. (I once was a mac user, by these days I hardly ever power up my mac)
“A few seconds later, some application on your system says there’s a software update available. You approve the update.”
On a Debian GNU Linux based system you’d immediately know that this was wrong since individual applications cannot update themselves. All updates come from signed repositories. Apple has taken a page from the Debian handbook with their Appstore for iOs devices and Microsoft is apparently eying a similar updating mechanism for Windows 8.
One big lack with repositories is, that anything which is not made/upkept by a certain core of the distro-community drags badly behind with versions, when comparing what’s available thru repositories versus app developers’ site. And if there’s a mismatch of versions, bug reporting becomes somewhat useless, and getting the latest release-version of the application usually requires a method of installing that is not as straightforward as thru repositories. Some applications actually mention that for getting the latest version, you should visit their website.
I’ve come into conclusion that for a person who doesn’t bother learning the tricks of the OS, but focuses on the programs he needs to use, Ubuntu (a Linux distro, based on Debian) is not suggestible option. And it’s not an option at all, if said person doesn’t have linux-savvy person as friend, regardless of how free the stuff is.
And for Ubuntu, if you don’t update the distro twice a year, bug reporting thru the centralized utility (only option in some cases) is generally useless, as you’ll be told to update your distro first.
Regardless of all that (and much, much more that I haven’t mentioned here), I will keep using Ubuntu for anything that’s not gaming.
I would have to argue that is not so much a problem with the repository model as a distro management issue. Should a distro support bleeding edge for software? Should users of version X of a district get pushed up a major revision of the office suite associated with that distro or should they only get patches by default? Most systems, such as yum and apt make it easy to add additional repositories, such as ones that are managed by the software vendor (such as adobe). What they fail to do is make it seamless to do this or add additional repositories such as PPAs.
We could talk about how to do this all day, the point is this approach can be applied to windows or apple as well. Allow approved vendors to apply for a signed certificate from MS or Apple and let them set up repositories that will be checked by the native OS update client. For example, adobe could install their repository configuration and validate their certificate when you install flash. MS will not have to manage the repo, adobe will.
“I would have to argue that is not so much a problem with the repository model as a distro management issue.”
I don’t know what’s the core of the problem, but there’s a serious problem, at least on Ubuntu’s side. The repository model itself is great: I hate installing anything outside of it, unless I’m 100% certain about what I’m doing – and then I just don’t like doing so. In worst you just have to put a blind faith on google, because all you have is the app (or library) name.
“Should a distro support bleeding edge for software?”
If it’s the latest release version for applications and libraries, then yes.
“Should users of version X of a district get pushed up a major revision of the office suite associated with that distro or should they only get patches by default?”
By default, patches, yes. But when the major revision is not available at all, what you’d call that as? (I’m still using Firefox 3.6.x)
“What they fail to do is make it seamless to do this or add additional repositories such as PPAs.”
I don’t argue with that.
“the point is this approach can be applied to windows or apple as well.”
I agree.
“For example, adobe could install their repository configuration and validate their certificate when you install flash. MS will not have to manage the repo, adobe will.”
Would very efficiently null the need for “Adobe Download Manager”-crap, and such.
Most broken the repository model goes, when an application cannot be installed because a library (or worse, libraries) it relies on is too old in the repository. A formidable reason why I abandoned FreeBSD long ago. Imagine a person who’s used to GUI (thru Mac) trying to install an application in CLI environment, only to find out that he’d need to manually locate and install several libraries, because those available in repositories are too old. In worst cases, some libraries were not available anymore at all. On Ubuntu as well, I’ve few times ran to that “too old version” problem. On Mac (again, years ago), I gave up with the macport[name?] stuff immediately because an attempt to install an application, which required a huge list of (small) libraries to be installed first, gave painsaking list of “source not found” errors.
I dunno if it has been reported in the comments, but you should be aware that the finfisher injection tools exist also at the “isp level”, so it can make the injection in updates from the “network you trust”.
The tool is FinFly ISP.
See about FinFisher, this article from owni.fr (french) and the wikileaks files that were released recently : http://owni.fr/2011/12/12/finfisher-cheval-de-troie-gros-requin-intrusion-surveillance/