Mac users warned against using public Wi-Fi networks

Security experts have advised companies to ban employees using Mac laptops to connect to public Wi-Fi networks, including those at the RSA Conference this week, until Apple releases a patch for a serious vulnerability that can be easily exploited in a man-in-the-middle attack.

A coding error in the authentication logic in Mac OS X 10.9.1, the latest version, makes it possible for an attacker to bypass the SSL/TLS verification routines upon the initial connection handshake between the client and a remote server. SSL/TLS are cryptographic protocols used in securing communications over the Internet.

By circumventing the verification process, an attacker on a public network could masquerade as the destination, such as a webmail provider, and intercept encrypted traffic, according to security firm CrowdStrike. The attacker could also modify data in flight to deliver exploits capable of taking control of a Mac.

"The recommendation that we've certainly told both our employees and our customers is to not connect to any untrusted network until a patch is available from Apple," Dmitri Alperovitch, chief technology officer for CrowdStrike, said. "The situation is pretty dangerous."

Apple said in an emailed statement Monday, "We are aware of this issue and already have a software fix that will be released very soon."

In the meantime, examples of networks Mac users should avoid include those in hotels, airplanes, Starbucks and the RSA Conference, a major security event going on in San Francisco.

"None of them are safe," Alperovitch said.

Researcher Adam Langley also confirmed the vulnerability and posted a more technical explanation.

The flaw affects any application on the Mac that uses SSL/TLS, including Safari, messaging apps and even Apple's software update. Browsers Chrome and Firefox are not affected because they use NSS, which is a different set of cryptographic libraries for client and server communications.

Brent Bandelgar, associate security consultant at Neohapsis, said the bug was not in the previous version of Mac OS X, 10.8.5.

Holdouts still on the previous OS X release, Mountain Lion, are safe," he said in an email.

A man-in-the-middle attack is a form of active eavesdropping in which a hacker makes an independent connection between a client and its destination server. The hacker relays messages between them, making them believe they are talking to each other over a private connection. In fact, the attacker is controlling the entire conversation.

With the Apple flaw, the attacker would have to be on the same public network. Once there, the exploit would not be difficult, Alperovitch said.

"Essentially, anyone on the public network can do a man-in-the-middle attack fairly easy and spoof SSL Web servers," he said.

The same flaw is in the latest version of iOS, Apple's operating system for the iPhone and iPad. The company released a patch for the vulnerability over the weekend.

When a patch is released for Mac OS X, system administrators can pass on the automatic update served by Apple and manually download the software and verify the package using both the provided cryptographic hashes and digital signatures, Bandelgar said.

"As with any update, users should back up their data before applying the update," he said.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationshardware systemsiPhonetabletssoftwareMac OS Xdata protectioniPadRSA ConferenceAppleconsumer electronicssmartphonesAPPLE INC.

More about AppleNeohapsisRSAStarbucks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place