A breach in Mac OS X, Apple’s operating system, allows to intercept data connections to secure websites, those in which a padlock appears in the address bar. The flaw was discovered after the same problem to be fixed in iOS system used on iPhones, iPods and iPads, on Friday (21).
Secure sites use the “https” protocol and are protected by encryption against interception of network traffic. Only the site server can decrypt the data sent, so that even if someone captures this data, they will be shuffled. The flaw allows a hacker to spoof the padlock, and can create, for example, a fake bank website that is the actual address of the institution.
A program to exploit the flaw was disclosed on Tuesday (25) by Aldo Cortesi specialist. “Apple should have at least upgraded both [iOS and OS X] simultaneously,” Cortesi said the site “ZDNet”.He said it took a day to adapt your program to intercept it exploited the vulnerability in OS X.
The greatest risk is in software update systems. As they usually make use of “https” to identify the legitimate update server, a hacker could spoof an update, causing the system to download and install a software provided by the hacker. Data Apple software such as iCloud, the are also vulnerable.
The Firefox and Chrome for OS X, however, browsers are not affected by the problem because it does not use the Apple code to verify the authenticity of certificates.
Users are subject to interception when using Wi-Fi connections or other untrusted networks, where a malicious person can apply the software to view network traffic. In practice, anyone with access to an intermediate network, such as an ISP could also make use of the problem to intercept data from secure sites. This, however, is not very common, leaving the Wi-Fi networks as the simplest way to take advantage of the problem.
Developers gave nickname: ‘go to failure’
The Apple code where the vulnerability appears is open and can be seen on the very site of the company. The gap was created by a “fail goto” statement (“go to failure”, translation) out of place.This statement ends the routine check when a fault is found in insurance verification site.
However, the code has two “fail goto” statement repeated sequentially. The first is in a fault condition, but the second does not. As he closes the check out of a framework of fault, just part of the verification is not performed.
The flaw can be exploited using data from a legitimate security certificate and replacing them by the false from the moment the checks are no longer performed by the code. The point of failure is such that legitimate data that are checked are public and can be easily obtained from the site being intercepted.
The failure, therefore, received the nickname “goto fail” or “go to failure”.