Sunday, November 27, 2011

Apple left vulnerability open for govermental spyware for three years

That iTunes update you installed earlier may have been the government spying on you. And Apple have known for at least three years.
FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged. [...] A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw. [...] Mikko Hypponen, chief research officer for Finnish security firm F-Secure, first blogged about FinFisher in March 2011, when protesters in Egypt took over the headquarters of the Egyptian State Security and gained access to loads of confidential state documents, including those that appear to show the government purchased licenses for the program. (Quote Krebs' blog)
A screen shot from the firm's promotion video: A fake iTunes update. Image via Spiegel.

The Telegraph / Apple iTunes flaw 'allowed government spying for 3 years', Krebs on security (blog) / Apple Took 3+ Years to Fix FinFisher Trojan Hole, Spiegel / Firm Sought to Install Spyware Via Faked iTunes Updates.