Apple iTunes flaw 'allowed government spying for 3 years'

The Telegraph ^ | 24 Nov 2011 | Christopher Williams

[for-q-clinton]

An unpatched security flaw in Apple’s iTunes software allowed intelligence agencies and police to hack into users’ computers for more than three years, it’s claimed.

A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide.

The hacking software, FinFisher, is used to spy on intelligence targets’ computers. It is known to be used by British agencies and earlier this year records were discovered in abandoned offices of that showed it had been offered to Egypt’s feared secret police.

Apple was informed about the relevant flaw in iTunes in 2008, according to Brian Krebs, a security writer, but did not patch the software until earlier this month, a delay of more than three years.

“A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw,” he said in a blog post.

"The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title." ... This month's iTunes update 10.5.1 explained that "a man-in-the-middle attacker may offer software that appears to originate from Apple", adding that the "issue has been mitigated".

[for-q-clinton]

This must be a lie because I was promised by apple fans that Apple doesn't have security issues and it's secure by design.

[kevao]

exploited the vulnerability via a bogus update to iTunes

Oh, so that's why iTunes needs updating *every* *single* *freaking* time you open it.

[UB355]

I have only 20 some music albums, a few movies and some apps on iTunes for syncs to my iPod Touch.

I suspect that my daily downloads of Mark Levin’s podcast may attract some attention, but as now I transfer to a non Apple mp3 player for later play.

[driftdiver]

Is there any doubt that other ways exist for them to access your computer if they choose.

[Zuben Elgenubi]

Figures a worm would bore into an apple.

[glorgau]

Just guessing, but I’d say NONE of the commercial OSs - including cell phones - lack back doors. The only thing I would trust is the smallest linux distro I could find and then I’d still obfuscate my MAC address on a disposable lap top and go through an Onion router from a public wi-fi location that didn’t have security cameras in the area. Not to say that I’m paranoid or anything ;-)

Other than that, whatever is on your computer or you send over a network can probably be found out/tracked IF the desire is high enough.

[for-q-clinton]

onion routers are no longer secure...all you have to do is make yourself an exit point and you can capture everything. There’s a replacement for it, but I can’t recall what it is right now. ShadowAce tech pinged it a while back.

[PapaBear3625]

This, coupled with the Android cell phone back door, leads me to think that governments mandate back doors, if you're a software company that doesn't want "problems".

[FReepaholic]

...Just guessing, but I’d say NONE of the commercial OSs - including cell phones - lack back doors...

Exactly. Remember years ago when the Feds sued Microsoft? Went on for years and they settled.

I felt at the time that they probably allowed the Feds back-door access to Windows as part of the deal. No proof, just gut feeling.

[LearnsFromMistakes]

iTunes needs updating *every* *single* *freaking* time you open it.

I have the same frustration on my windows pcs...but not my macs...not sure why it doesn't get as many updates on the mac side.

[LearnsFromMistakes]

Just so we are clear, this is an 'iTunes software problem', but only when running on Windows computers. From this article:

It appears that the flaw only affected the Windows version of iTunes. Krebs said Amato had tried to replicate it on OS X systems, but had failed.

My Macs don't seem to have the security issues Windows PCs have, maybe it is by design...

[driftdiver]

Help the paranoids are after me!

[for-q-clinton]

Nice try. This is an APPLE bug not a Windows bug.

Remember all the excuses when Macs get hacked via Adobe garbage code? Well this is the same situation. The OS happens to be Windows but it’s due to Apples crappy code in iTunes.

[Swordmaker]

Flaw in Windows iTunes allowed government access to criminal computers through fake iTunes updates—PING!

I suspect this "flaw" was not removed during iTunes updates until recently because of government contractual or legal requirements... and it was only eliminated because of another backdoor was created to provide the same access for authorities... Note the article states it is only activated by a "bogus iTunes update" which would require a way of creating a "man-in-the-middle" method of installation of iTunes on the targeted computer, a very difficult thing with Apple's signed servers... something a government agency COULD do to place the bogus iTunes on the targeted criminal's computer... but not something a regular hacker has been able to accomplish with iTunes or Apple's update servers to date.

Apple security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

[for-q-clinton]

but not something a regular hacker has been able to accomplish with iTunes or Apple's update servers to date

Do you have a link proving this or are you just guessing?

[LearnsFromMistakes]

Nice try.

Thanks. I just wanted to get an a small dig, and I also wanted to make it clear that this is an iTunes problem on Windows computers, but not on Macs. Your original comment:

This must be a lie because I was promised by apple fans that Apple doesn't have security issues and it's secure by design.

seemed to blur the line between Mac hardware/software combination and iTunes software running on Windows PCs.

[Travis McGee]

Imagine how many back doors there are into our computers, that we DON’T know about.

[Swordmaker]

Do you have a link proving this or are you just guessing?

Read what I posted... I said: "I suspect..." It's an educated conclusion, based on experience, logic, and the evidence. Governments DO require access through backdoors. Apple does patch such inadvertent "flaws" proactively and there has to be a reason a certified security company was selling access using this "flaw" only to law enforcement agencies around the world, and a reason why Apple did not close this "flaw." I suspect it was a deliberate back door that was found by this hacker and Apple ignored it for contractual reason or because they were required to provide a backdoor under law. . . and this was it. Now that it was exposed, they have had to provide another backdoor for law enforcement, not publicly known. I also suspect, that since this is active ONLY on Windows, that the flaw is actually a Windows vulnerability that was being utilized through iTunes as a convenient modality. I would also bet that there are other common software that use the same backdoor because iTunes does not have 100% penetration of the Windows market.

Note also that although the article claims the flaw exists on hundreds of millions of computers it REQUIRED a bogus installation of iTunes for it to be utilized, so that claim is probably false, an assumption on the part of the writer of the article. I think that means it really is not Apple's flaw, unless the true flaw is in spoofing Apple's certificate checking for the installation of an update. The article is not clear on this. It is clear that this exploit does not work on OSX.

Apple did recently bolster it's certificate checking on software updating in preparation for launching iCloud services... and that may be what they are referencing about closing the "flaw" in the last update after ignoring it for three years.

[CodeToad]

Well, you have the right idea in the first place: Assume everything you read or write can be seen by others.

[La Lydia]

Why does the government care about my Nino Roto downloads?