Tuesday, June 28, 2011

Opera Outdated in Mac App Store Again

Not surprisingly, when Opera Software released the new version of its browser earlier today, Opera 11.50, it didn't make it to the Mac App Store.

You may recall that last month Opera 11.11 was released, and the version in the Mac App Store was two versions (and two months) old and contained a publicly-disclosed security issue rated as "critical."  After contacting Apple and Opera, and after much press coverage thanks to my article warning users about the issue, Apple finally published the then-current version 11.11 in the Mac App Store.

Apple's Mac App Store is still distributing Opera 11.11, which is  now outdated and publicly known to contain no less than three vulnerabilities, two of which have been publicly disclosed.  One of the three vulnerabilities (the details of which have not yet been disclosed) is rated by Opera as "moderately severe," while Opera rates the severity of the two publicly-disclosed vulnerabilities as "high" ("Data URIs may be used to initiate cross site scripting against unrelated sites") and "low" ("Issue with error pages can cause a system crash").

Like last month, I notified both Apple's security team and Opera about the issue on the day of the new version's release.  It will be interesting to see how long it takes Apple to approve the new version and begin distributing it in the Mac App Store; last time it took a full week after I notified Apple's security team about the issue.

If you missed my previous article on the subject, I recommended that if you have downloaded Opera from the Mac App Store, you can just drag the outdated copy of the application into the Trash, and then replace it with a fresh copy downloaded from Opera's site at http://www.opera.com/download/

On an unrelated note, I have been doing a lot of research lately on the "Mac Defender" malware that has been causing a stir since the beginning of May.  I am pleased to announce that I will soon publish my findings here on this site, so please subscribe to be sure you don't miss out on those details.

UPDATE, 6 July 2011: It took Apple just over a week after Opera released version 11.50 before the new version became available on the Mac App Store. Hopefully at some point Apple will begin to improve its app approval process to fast-track security updates, especially when vulnerabilities have been disclosed publicly or exist in popular software. For now, if an app is available directly from its publisher, it's probably a good idea to download it from the publisher's site rather than via the Mac App Store.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Saturday, June 18, 2011

Disclosure: iTunes Store Authentication Vulnerability

Apple recently worked with AOL to fix a vulnerability that I discovered in the iTunes Store authentication process. Following is a press release that was just published by upSploit, the advisory management organization I selected to help coordinate with Apple:
On June 4th, 2011, upSploit Limited released a vulnerability for the iTunes Store, App Store and iTunes. This vulnerability seemed to be a problem in the way Apple integrated AOL usernames and passwords into its services.

Prior to this vulnerability being fixed, Apple would accept incorrect passwords from users logging into the store using an AOL Screen Name. Incomplete passwords, passwords with incorrect letter case, passwords with incorrect or extra characters at the end, or a combination of any or all of these, were accepted by Apple. Knowledge of this vulnerability could potentially have been used by attackers, leading to disclosure of personally identifiable information, identity theft, and fraudulent purchases.

The vulnerability took the whole 6 month disclosure time limit to be announced as Apple were at first unresponsive to the problem and then when they did respond were initially unable to reproduce it. The discoverer of the bug, Joshua Long, contacted them and helped them find the problem and they fixed it almost immediately.

Long had this to say about the process:

"When I discovered this security vulnerability last year, I felt that it was serious enough to warrant submitting it to a responsible third-party vulnerability management organization rather than only to Apple or AOL. I have submitted reports to both companies in the past, and I have found that sometimes it can take them a very long time to respond to a security issue. Case in point: AOL still doesn't seem to care about encrypting its Web-based e-mail service, in spite of Firesheep shining a spotlight on the problem last year. I hoped that bringing in a third party to work with the vendor would help encourage the vendor to take the issue seriously and fix it more quickly. I first approached a leading vulnerability management organization, but their policy was to not accept vulnerabilities in services. I had previously heard about upSploit on a security podcast and I decided to give the service a try. I liked that upSploit automatically and routinely reminds the vendor about the vulnerability and the date on which it will be disclosed to the public. I believe that upSploit's persistence was a major factor in motivating the vendor to take action and to resolve the issue."

Any credit for the vulnerability should be given to Joshua Long aka the JoshMeister. You can follow him on Twitter here - https://www.twitter.com/theJoshMeister and can view his security blog here - http://security.thejoshmeister.com


EDIT: Apple also acknowledged me at https://support.apple.com/kb/HT1318 for reporting this issue.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.