No surprise - we have more Apple iPhone security flaws

This time there is a security hole that bypasses access restrictions and it highlights again that Apple favors functionality over security. In this case, even when a user chooses to physically secure the device with a four digit passcode, the user still has access to some functionality. If someone selects "emergency call", that user can then gain access to other options that eventually provide almost complete access to the phone, without ever having to enter a passcode.

This highlights a fundamental design deficiency with the iPhone, and flies in the face of Steve Jobs' declarations about iPhone security. Even with some of the recent improvements in security, Apple internal decision making process always chooses functionality and aesthetics over security. The most recent demonstration of this internal bias is the quick release of updates to fix 3G connectivity issues this year, but security updates generally take several months.

I don't think this is an acceptable level of risk for most enterprises, and it's probably too much risk for many consumers. Until Apple begins to publicly address the fundamental design, development and process issues that move security to the back burner, enterprises will be forced to remain skeptical about the iPhone and will have to worry about the protection of confidential data on the device.

Many Patches Get Replaced

When it comes to Microsoft Patch Tuesday, August might just be better classified as a do-over. Of the 11 bulletins released today, 7 of them replace former bulletins. The bulletins being replaced are an interesting diversion in their own right. One dates back to 2003 while others were just released in the past few months. In one case, MS08-026 a remote execution in Word, has now been superceded by three new bulletins this month.

08-041 replaces 03-038
08-042 replaces 08-026
08-043 replaces 08-026 and 08-14
08-044 replaces 06-039
08-045 replaces 08-031
08-048 replaces 07-056
08-051 replaces 06-058 and 08-026

Kill Bits Galore

Security advisory 953839 was also published today. The intent on this cumulative security update is to issue new kill bits for known vulnerable controls. A kill bit is a value in the registry, which instructs your computer not to execute the control if it is requested. This does not remove or update the vulnerable code, it just simply tells your computer not to run it. In today's update, we received roughly 90 kill bits on class identifies related to products by Aurigma and another 20+ on products from HP.

This is not the first time that Microsoft has utilized patch Tuesday to distribute kill bit settings from third party applications. While this method may be viewed as novel now, it will soon become relentless and tiresome as time moves forward. The reason is partly based on what we learned from Microsoft at last week's BlackHat talk. Microsoft announced their new security initiatives, one of these being their active efforts to deliver a holistic more secure system to Windows users, even if it means finding bugs in 3rd party products. Going forward, we can expect Microsoft to find vulnerable ActiveX controls and issue kill bit updates on patch Tuesday, thus making Windows generally more secure and providing the 3rd party vendor time to release proper updates for their software.

Did Apple forget to patch something? By the look of things, the DNS client on the OSX 10.4.11 distribution still has not been patched.

A lot of people, including myself, have been prodding Apple on why they are so late to the table on this DNS patch. All the major vendors, within a few days, had at least made a public statement about the issue. As for Apple, they have been characteristically quite, which never seems to work in their favor. The general counter argument has been that since OSX is not a widely popular recursive DNS server, they haven't been putting their users in too much jeopardy.

As things normally go with Apple, they sprang an update on us. Late in the day yesterday, we got security update 2008-005. This release includes an update for Bind (along with a good number of items worth reviewing).

Excerpt from the release notes:

*BIND
CVE-ID: CVE-2008-1447

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4

Impact: BIND is susceptible to DNS cache poisoning and may return forged information

Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

No Port Randomization

The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomization of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response. However, it appears that Apple forgot something. The client libaries on my OSX 10.4.11 system, post patch install, still does not randomize the source port.

Here is a comparison between a patched FreeBSD 6.3 system and my OSX 10.4.11 system.

FreeBSD 6.3

08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)

08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)

08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)

OSX 10.4.11

08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)

08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)

08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)

The Bottom Line
For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched.

Update:

Swa Frantzen, the SANS Handler on duty, discovered the same thing on OSX 10.5.4

Thanks to Gregg Keizer for covering this topic at ComputerWorld.

And Ryan Naraine also found this interesting enough to cover at the ZDnet Zero Day Blog.

Link to PC World Article

Link here

Being an IT manager and security professional, this story make me shake my head. It has certainly been the talk soup at the office today. A few quick thoughts on this.

Terry Childs seems to have backed himself into a corner and created a no-win situation. He had to have been in a desperate position to take the system hostage by blocking access and refusing to hand over passwords. Unfortunately for Childs, real life computer security rarely works like it does in the movies, bargaining power is limited by the long arm of the law.

Child's managers should have known better. A situation like this could only occur if safety nets and best practices were ignored or circumvented. Any security program that could allow one person to cause much damage is seriously deficient, especially since this has apparently been going on since June 20th.

The big question in my mind concerns the ramifications of continuing to run a system that could have been rigged to remotely delete data. If this concern turns out to be accurate, every minute that the city keeps the system up while it is not entirely in their control is another minute that city data is in jeopardy. A compromised system could mean data is deleted and confidential information gets leaked. Both of these are a significant risks.

Update:
Linked to the Robert McMillan article in PC World since he used my quote.

1. Apple ships a software update the same day the hardware is released.

This is clearly indicative that Apple struggled to get the product to market on time. It's an old trick. Ship the product and hope that by the time it hits consumer's hands, you'll have a massive update available for download. After a few days of heavy usage, developers are blaming Apple when users complain of spurious application crashes. According to developers, it's not a problem with their application, but with new 2.0 firmware. The enterprise invests in quality. A rushed product will inevitably mean problems.

2. Apple's own update infrastructure isn't designed to handle the load.

Enterprises can't afford failure and on release day, Apple's activation system keels over. Apple knew exactly how many iPhones were available to be sold. They simply didn't architect their infrastructure to handle the known demand. This is not like some mom and pop website getting Slashdott'ed. While consumers couldn't activate their iPhone is one problem, it also affected all users trying to use the iTunes store. If an enterprise is dependent upon this infrastructure, then prepare yourselves for outages.

3. iPhone 2.0 firmware already hacked.

In fact it was hacked before it became officially released. This is all about compliance and homogeneity. While Apple fights to keep the iPhone locked for contractual and revenue reasons, the enterprise wants it locked for compliance. A system not to the IT common spec is considered a rogue device. Rogue devices cause increased workload and introduce security risks.

4. Enterprise customers get the bait and switch.

While I may be the viewed as the "iPhone hater", I still attempted to order an iPhone from my corporate AT&T wireless account manager. After weeks of receiving email pitches to place an order, we are told at 5pm Thursday night our account isn't eligible. But I could upgrade the account type. No thanks, that's lingo for "let me lock your company into a monthly commitment plan".

5. iPhone configuration utility not quite there yet

Along with Active Sync support, Apple also released the iPhone Configuration Utility. This is a reactive step forward for Apple. They seem to have realized that IT operations need centralized configuration and management tools even when it comes to smart phones. The problem for Apple is that it's a stepchild of a utility. The configuration product is a third party tool that has no integration points with Exchange, Active Directory or any other centralized enterprise infrastructure. Further, it exhibits Apple's failure to understand true policy compliance and enforcement because it requires IT to distribute configuration XML files in email or over the web. This is not policy enforcement, its policy inclination.

Close your Twitter and FriendFeed; drop that iPhone; put your shoes on and order some pizza its gonna be a late night full of patching DNS servers. At least that's what you'd think I'd be writing about today. Multiple DNS implementations are vulnerable to cache poisoning and it is a relatively big deal. The bigger deal that we seem to be overlooking is Microsoft's role in this event and how the competition stacks up.

Today is July 8th 2008. Its what we call Patch Tuesday and by normal accounts it's a day that people like myself, who work professionally in information security, already know quite clearly what is on today's plate. However, today's patch Tuesday is a bit different. Thanks to a number of influential security professionals, we have a significant multi vendor and multi agency coordinated release going on. Today, Microsoft is not the only game in town today.

When we talk about today's DNS vulnerability announcement, I'm not fretting over my Windows servers or my XP laptops. The vendors we need to be concerned with today are the 90+ other companies listed on the CERT advisory that have provided no status information regarding their products. Many of these vendors were apparently notified in April and May of 2008. Three months later, the advisory is now public and many high profile vendors have the dreaded "unknown" status. I'll save you the time to read the vendor list and highlight a trend I've talked about before:

Cisco: Vulnerable
Foundry: Not Vulnerable
ISC: Vulnerable
Juniper: Vulnerable
Microsoft: Vulnerable
Nominum: Vulnerable
Power DNS: Not Vulnerable
Sun: Vulnerable
Apple: Unknown

That is correct. The company, which insists it, has the most secure operating system. The company, which continues to try and penetrate the enterprise computing market, is listed as unknown. This is also the same company, which lost its splashy smartphone to a previously patched bug in an open source project. Not much later, its brand new laptop keeled over in less than 2 minutes at PWN2OWN.

In comparison, we know that back in March engineers from major vendors met at Microsoft to plan and coordinate today's events. Further, not only do we know what Microsoft products are vulnerable, but we also have patches. The reason for this is simple - Microsoft is an enterprise vendor:

Microsoft has a predictable and regular patch release cycle.
Microsoft communicates to the public about it security issues.
Microsoft has a publicly readable and defined security glossary of terms.
Microsoft has a well-run security development life cycle.

We may not always like Microsoft or Microsoft products (hint: please extend the support of XP), but today's round goes clearly to Microsoft.

Updates

7/9/08: Add Vendor References

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

Ben Whorten of the Wall Street Journal suggests, in his BizTech blog posting, that the iPhone adoption will be based on business culture. Ben may be partially correct. But, when it comes to enterprise infrastructure, "chic" doesn't get the PO signed.

The dynamic struggle between productivity and security is sure to come into play in the decision to support the iPhone on the corporate network. Ben appears to believe that the IT crowd bans technologies on the grounds that it enables the "goof off" factor, while employees interested in using the iPhone believes that the iPhone will make them more productive. There is an element of truth in both of these viewpoints, but Ben overlooks a much larger issue central to the decision to support anything on the corporate network: compliance.

Ever since the Sarbanes-Oxley act of 2002 changed the regulatory climate of business, the CIO's purchasing decisions have been heavily influenced by the vendor's security practices. Public companies generally must comply with a minimum of three different regulations, and many of the associated compliance requirements apply to the company and all of its supply chain.

Additionally, the consequences for failing an audit are not to be underestimated. Aside from the serious costs involved and the long term consequences of having to endure more frequent and exacting audits, there is jail time to consider. It's enough to give any CIO pause. In Ben's defense, he does make a practical point -- businesses already invested in RIM's Blackberry phone are the least likely to make the switch. This is just economics, plain and simple. Without a solid ROI plan, no sane business manager would be willing to overhaul existing infrastructure to make the switch to iPhone when the current system already solves the problems, especially in a tight economy. But, Ben also says that the switch will "hinge on culture." While culture is a critical component to the success factor of a company -- just ask Google -- the majority of CIOs can't afford to nuke their existing infrastructure simply because the next cool widget to hit the market supports business email.

Ben's points about the cultural beliefs that skew corporate buyers away from the iPhone missed the most surprising element of Apple's strategy to capture market share in the enterprise: it is relying on Microsoft for security. No one else seems to see the irony in this that I do. For years, Apple's marketing has hammered on Microsoft's products as bloated and full of security holes. However, Apple obviously realized that in order to enter the enterprise market they had to do something drastic. Evidently, the need to pump up iPhone sales was enough to get Apple behind Microsoft's Exchange ActiveSync. And remember, ActiveSync is more than just a method to deliver email to a handheld device; it is also Microsoft's conduit for delivering security configurations.

Apple builds their revolutionary device to be compliant to Microsoft's handheld information security platform? And they say politics makes strange bedfellows!

Look what I found in my inbox. Yes, its phishing circa 2004.

I am responding to the email for your auction which was posted on eBay. I believe i emailed you a week ago regarding this sale, and my interest in it.

Please confirm that it is the same auction with the one posted on eBay link:

http contact-member.1sta.com/ <http productionscout.com/mambots/contact.ebay.com/aw-cgi/eBayISAPI. dllSignIn .php>

I am very interested in this auction and ready to complete the deal as soon as possible.Hope to hear from you soon!

Sincerely,
Gene Holingsworth

(Note: URLs changed so people won't feel compelled to click on them)

Maybe the old skool tactic is working again? Seems that everything works in cycles, so you never do know.

While most consumers knock on vendor doors to raise awareness and demand better security, PayPal is flexing their muscle in a different way. They are going to force their users to only use approved web browsers. While this may seem disruptive, it is actually a rather old technique used by software vendors. Every piece of software you buy today, consumer or enterprise, comes with a list of approved and required components. If the user chooses to use a non-approved configuration, the vendor denies support. This is a natural progression of the Internet. Providers of services need not only protect their bottom line by making such demands, but also in the long run will protect the consumer. That is exactly what PayPal is doing and this is good business for everyone.

The next disruptive technology to hit consumers and enterprises will be the single site browser. This will be web browser-like client software that can do nothing but be used for a single website. Think of this as traditional client/server application. If you need to use your financial system, you launch browser X; then if you need to use the ERP system, the user launches browser Y. At the outside of the spectrum, this feels like a 10-year step backwards in user productivity and IT operations management. In all likelihood though, what we will probably see is still a single browser, but one that is intelligent enough to lock all network traffic to single known and trusted site. In this scenario, the user would need to logoff and switch context between system X and system Y; all the while the browser ensures no errant information gets transmitted to any other system.

Can it be pulled off? Given the very open nature of the Internet and HTTP, it's rather easy to impersonate web traffic to look as if the user is using Internet Explorer instead of Firefox. Exactly how and if service providers act on this initiative will be interesting to watch. We do already have one other service for comparison. iTunes from Apple is essentially the same situation. If a user wants to use the iTunes music store, they need to use iTunes. So far, that limitation hasn't seemed to limit Apple's revenues.

So what about the openness of the Internet? What about the market created by browser wars? Are we going to see fewer browsers? Look at this way, the more we demand features and functionality, the more the market will evolve.

nCircle is at RSA this week and we have remote control helicopters. Lets face it, people like to get free stuff at conferences. So come by the booth and learn how to get yourself one of these very cool RC helicopters.

And while I have your attention, we also have two employees speaking this week.

When: Friday, April 11 at 9:00 AM - 9:50 AM
Title: Using Game Theory to Outmaneuver Your Opponent
Location: GREEN ROOM 102
Speaker: Tim Keanini

Technology Showcase Presentation
When: Wednesday, April 9 at 11:30 AM
Title: Effective Scanning for Production Web Applications
Location: Booth 2603 (lower right corner of the show floor)
Speaker: Tim Erlin