This Week in Security: Apple’s Mountain of Vulnerabilities, Certificates, and Privacy

Apple Goes Spelunking Through “YoCVEte” National Park and Unearths a Mountain of Vulnerabilities

macOS Sierra 10.12.4, along with security updates for El Capitan and Yosemite, was released this week alongside iOS 10.3, tvOS 10.2, and watchOS 3.2. The update for macOS (and prior OS X versions) addresses an astounding 126 CVEs and 88 CVEs for iOS.

A significant number of patched CVEs (Common Vulnerabilities and Exposures) are attributed to third-party programs bundled with macOS: the tcpdump utility is responsible for 41 CVEs on its own.

It’s interesting to note the vulnerabilities that are shared across all of Apple’s various operating systems. Vulnerabilities in WebKit and ImageIO date back to 2016 and affect all Apple operating systems (macOS, iOS, watchOS, tvOS).

As always, consumers should apply patches as they are released to protect themselves against discovered vulnerabilities. Automatic updates are a fantastic feature to make sure you’re up to date—just make sure you’re not delaying those system reboots indefinitely for updates to apply.

Certifiably Unidentifiable

Let’s Encrypt is a free certificate authority (CA) run by the Internet Security Research Group (ISRG) with an admirable mission to provide everybody with the ability to deploy HTTPS (SSL/TLS) services. Unfortunately, malicious actors are also included in the definition of ‘everybody,’ and over 14,000 certificates were issued for PayPal phishing sites.

Let’s Encrypt issues domain-validated (DV) certificates which only require the requester to prove he/she has control over a domain as opposed to extended-validation (EV) certificates which undergoes a more rigorous verification process.

At the other end of the spectrum, Google has initiated a process to deprecate certificates issued by Symantec (GeoTrust, Thawte, Verisign, and Equifax are all brands owned and operated by Symantec) due to mis-issuing 30,000 extended-validation certificates. Chrome will effectively downgrade Symantec issued EV certificates to DV certificates in the coming future.

The age-old dogma of having users check for a lock icon to identify HTTPS connections is going out the window. It’s bad enough that browsers are making it harder for a user to verify certificates with a quick glance but with the barrage of phishing DV certificates issued by Let’s Encrypt and deprecation of a large swath of Symantec issued EV certificates, the HTTPS icon is just going to cause even more confusion. In the rush to a fully encrypted Internet, we’ve lost an important ability to distinguish identity on the Internet.

Website operators with a Symantec issued EV certificate should begin the process of renewing their certificates with a different certificate authority to prevent confusion for their users.

Home users should avoid clicking on links and URLs in e-mails to prevent falling victim to a phishing attack. Verifying there is a lock icon in the address bar is no longer sufficient to verify you are on a legitimate website. Users should browse directly to websites by typing in the actual address rather than relying on links in e-mails, instant messages, or posts on social media.

Congress Against Privacy

If you thought the quest for a fully encrypted Internet was a silly ideal, think again. The US Senate and House of Representatives have voted to eliminate privacy rules, allowing your internet service provider (ISP) to sell your web history.

In an age with commodity cloud computing and data science, things are going to get even more creepy when ISPs start selling off your web history. If Target can figure out if you’re pregnant before everyone else, just imagine what retailers and advertisers can do with your browsing history. The EFF provides a great overview of the risks associated with repealing FCC privacy rules.

Max Temkin, the creator of Cards Against Humanity, has pledged to purchase and publish the browser history of every congressman and aide if the bill passes.

A lot of websites and news outlets provide the following recommendations to protect your privacy: use a virtual private network (VPN), use Tor, use HTTPS (SSL/TLS). Unfortunately, those options do not provide adequate protection against the invasion of privacy and they come with a variety of disadvantages: you must trust the VPN provider; malicious Tor exit nodes could spy on your traffic or even inject their own malware; and ISPs generally operate DNS servers so they can track which domains you are browsing to, despite using HTTPS.

Consult your ISP’s privacy policy to understand what they’ll do with your information and take it into consideration when choosing an ISP - see if they’ll let you opt out of the data collection.

One final note, a browser’s “private browsing mode” such as Chrome’s incognito mode will not protect your ISP from monitoring your browsing behavior.