OS X Yosemite, the upgrade Apple launched Friday, also included the fix.
But testing Safari 7 on a patched Mac running Mavericks – and Safari 8 on Yosemite – resulted in a still-vulnerable report from poodletest.com, a website created by Johannes Ullrich, dean of research for the SANS Technology Institute and the head of SANS’s Internet Storm Center security arm. Ullrich published the detector so users could find out whether their browsers are at risk.
POODLE, for “Padding Oracle On Downgraded Legacy Encryption,” was disclosed earlier last week by a trio of Google security engineers who revealed how a design flaw in SSL (Secure Socket Layer) 3.0 could be exploited by criminals. Those hackers could use POODLE to steal browser session cookies, then use the cookies to impersonate victims at websites where they make online purchases, receive email or store files in cloud services.
In a research paper, the Google engineers outlined the POODLE attack technique, sending a another wave of apprehension through the web about the security of the internet. The POODLE attack can force a secure connection to ‘fall back’ to the long-known-to-be-untrustworthy SSL 3.0 by faking errors when more secure encryption methods are applied.
Because both browsers and web servers must be modified or updated to disable SSL 3.0 or bar systems from reverting to SSL 3.0, browser developers quickly announced that they were planning to patch their software.
Mozilla, for instance, said it would disable SSL 3.0 in Firefox 34, which is slated for release on 25 November. And Chrome said it would turn off SSL 3.0 in a future update, but added that it had already put in place a mechanism called SCSV, for TLS Fallback Signaling Cipher Suite Value, in the browser and on its servers. SCSV, which Mozilla will also support in Firefox 34, prevents attackers from inducing browsers to use SSL 3.0 as a fallback.
Apple’s fix, designated Security Update 2014-005 and designed for last year’s Mavericks and 2012’s Mountain Lion, took a different tack.
Rather than deactivate SSL 3.0 or implement SCSV, Apple “disabl[ed] CBC cipher suites when TLS connection attempts fail.” In other words, it blocks SSL 3.0 from using a type of cryptographic cipher, called “cipher block chaining,” that has been proven to be poorly implemented by SSL and its replacement TLS, and thus vulnerable to exploitation.
“This is a reasonable decision as it does mitigate the POODLE and BEAST vulnerabilities,” said Ullrich in an email. “Usually, CBC ciphers are part of SSLv3, but it is up to the browser and server which cipher to support.”
BEAST was the hacking tool released in September 2011 that exploited other flaws in SSL 3.0 and TLS 1.0.
But Ullrich also reported that after applying Security Update 2014-005, his POODLE detector still showed Safari as vulnerable.
“In my own testing after applying the patch, I can’t see this behaviour [as outlined by Apple],” Ullrich wrote in an email. “My version of Safari still happily connects to an SSLv3 server using AES as a cipher.”
AES-CBC is one of the cipher suites that Google had highlighted as vulnerable to the BEAST attack, as well as to the subsequent “Lucky 13” attack unveiled in February 2013.
Ullrich said he is continuing to investigate why Safari shows as vulnerable, even after the security update has been applied.
The lack of a corresponding update for Lion from Apple last week confirms that the company has stopped supporting the three-year-old OS X 10.7 by cutting it off from security patches.
Security Update 2014-005 can be retrieved by selecting “Software Update…” from the Apple menu on a Mavericks- or Mountain Lion-powered machine, or by opening the Mac App Store application and clicking the Update icon at the top right.