Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 22, 2014, 01:59 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update




Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
Quote:
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

Article Link: OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update
MacRumors is offline   0 Reply With Quote
Old Feb 22, 2014, 02:01 PM   #2
locoboi187
macrumors 6502a
 
Join Date: Oct 2012
Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.
__________________
Macbook Pro Retina 15"
iPhone 5 32GB - Black
iPad 4 16GB - Black
TV 3
locoboi187 is online now   2 Reply With Quote
Old Feb 22, 2014, 02:04 PM   #3
MacNut
macrumors P6
 
MacNut's Avatar
 
Join Date: Jan 2002
Location: CT
Quote:
Originally Posted by locoboi187 View Post
Can someone explain this bug in detail and why is it important to the average user please?
This article explains it fairly well.
Quote:
It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.
http://247wallst.com/consumer-electr...security-flaw/
__________________
The thoughts in my head are rated TV-MA. Viewer discretion is advised.
Now batting, Number 2 Derek Jeter, Number 2
MacNut is offline   2 Reply With Quote
Old Feb 22, 2014, 02:04 PM   #4
Kariya
macrumors 65816
 
Join Date: Nov 2010
Bug is present in Safari in the latest build of 10.9.2 beta.

Firefox is immune though.
(I don't use Chrome so i didn't test that)
Kariya is online now   5 Reply With Quote
Old Feb 22, 2014, 02:09 PM   #5
tarasis
macrumors 6502
 
Join Date: Oct 2007
Location: Here, there and everywhere
It's def a recent fix, it's not in 7.1B5
tarasis is offline   0 Reply With Quote
Old Feb 22, 2014, 02:10 PM   #6
saturnotaku
macrumors 65816
 
Join Date: Mar 2013
Quote:
Originally Posted by Kariya View Post
(I don't use Chrome so i didn't test that)
I do use Chrome, and it's not vulnerable.
__________________
MacBook Pro 15 (Late 2011)
Core i7 2860QM | 16 GB RAM | AMD Radeon 6770M | 1 TB Samsung 840 EVO SSD | Antiglare Display | OS X + Win 7
iPhone 4S (Verizon 64 GB)
saturnotaku is offline   4 Reply With Quote
Old Feb 22, 2014, 02:16 PM   #7
jclo
Editor
 
Join Date: Dec 2012
Location: California
Quote:
Originally Posted by saturnotaku View Post
I do use Chrome, and it's not vulnerable.
Chrome and Firefox don't use SecureTest and are thus not vulnerable, but many other apps and services do use it so even though a particular browser is not affected, a system on the whole is. That's why it's best to check with Safari -- it's bigger than just a browser vulnerability.
jclo is offline   3 Reply With Quote
Old Feb 22, 2014, 02:22 PM   #8
Cuban Missles
macrumors 6502a
 
Cuban Missles's Avatar
 
Join Date: Dec 2012
Location: East Coast, USA
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
__________________
I have a collection of Apple stickers from all my Apple product purchases - they are white (the stickers not the products)
Cuban Missles is offline   0 Reply With Quote
Old Feb 22, 2014, 02:28 PM   #9
Xe89
macrumors regular
 
Join Date: Oct 2009
I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5
Xe89 is offline   1 Reply With Quote
Old Feb 22, 2014, 02:29 PM   #10
sjinsjca
macrumors 65816
 
Join Date: Oct 2008
Quote:
Originally Posted by Cuban Missles View Post
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this. But the router can, as can the ISP. You can protect yourself by using a VPN service, which will cloak your activities against this exploit to all attackers between you and your VPN server.

----------

Quote:
Originally Posted by Xe89 View Post
I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5
If it was in the App Store, it's safe. Sounds like it was an update to the App Store application itself.
sjinsjca is online now   1 Reply With Quote
Old Feb 22, 2014, 02:40 PM   #11
zorinlynx
macrumors 68020
 
zorinlynx's Avatar
 
Join Date: May 2007
Location: Florida, USA
I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
__________________
Old-school Apple ][ expert! Ask me if you have a ][ question!
Apple user 1983-1992, 2003-Present -- Linux user 1995-Present
Windows-free since 2003! Though I still have to deal with it at work.
zorinlynx is online now   1 Reply With Quote
Old Feb 22, 2014, 02:42 PM   #12
Rigby
macrumors 6502a
 
Join Date: Aug 2008
Location: San Jose, CA
Quote:
Originally Posted by sjinsjca View Post
Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this.
In public networks it is often possible for an attacker to use tricks to redirect traffic meant for another user to his own computer (e.g. ARP spoofing). So yes, the guy at the next table might be able to exploit this bug. Now that it is widely known, I would not recommend to use an unpatched iOS or Mac OS device on a Starbucks WLAN.
Rigby is offline   1 Reply With Quote
Old Feb 22, 2014, 02:43 PM   #13
subsonix
macrumors 68030
 
Join Date: Feb 2008
Quote:
Originally Posted by zorinlynx View Post
I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
Mountain Lion doesn't appear to have this bug.
subsonix is offline   4 Reply With Quote
Old Feb 22, 2014, 02:44 PM   #14
MonstaMash
macrumors regular
 
Join Date: Dec 2011
Quote:
Originally Posted by Cuban Missles View Post
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
It's actually very hard for the average Joe to perform this attack at Starbucks, as well as pretty much all common public wifi networks, such as McDonalds or airports. Most of these networks have layers that make it very difficult. Access to the router would be the easiest way.

So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.
MonstaMash is offline   2 Reply With Quote
Old Feb 22, 2014, 02:45 PM   #15
MikhailT
macrumors 68040
 
Join Date: Nov 2007
Quote:
Originally Posted by Xe89 View Post
I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? I can't find any news or info about the update.

I'm using OS X 10.8.5
Quote:
Originally Posted by zorinlynx View Post
I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
10.8.x isn't affected, only Mavericks is.
MikhailT is offline   0 Reply With Quote
Old Feb 22, 2014, 02:47 PM   #16
nfl46
macrumors 601
 
nfl46's Avatar
 
Join Date: Oct 2008
Just updated to 7.0.6 and rejailbroke my devices. Better safe than sorry.
__________________
| 32GB Apple iPhone 5S | 13" MacBook Pro | 2nd Generation Apple TV |
nfl46 is offline   0 Reply With Quote
Old Feb 22, 2014, 02:48 PM   #17
casperes1996
macrumors regular
 
Join Date: Jan 2014
Location: Horsens, Denmark
Update son then

If it uses the same algorithm for verification, surely Apple could just apply the same fix on OS X, that they applied on iOS.... Update coming soon guys
casperes1996 is offline   0 Reply With Quote
Old Feb 22, 2014, 02:55 PM   #18
MahBoi
Banned
 
Join Date: Feb 2014
The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly. EDIT: I maybe meant "certificate not verified".

Last edited by MahBoi; Feb 22, 2014 at 06:46 PM.
MahBoi is offline   0 Reply With Quote
Old Feb 22, 2014, 02:55 PM   #19
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
http://www.independent.ie/business/a...-30033607.html

Confirming researchers' findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: "We are aware of this issue and already have a software fix that will be released very soon."
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   1 Reply With Quote
Old Feb 22, 2014, 02:56 PM   #20
MahBoi
Banned
 
Join Date: Feb 2014
READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.
MahBoi is offline   4 Reply With Quote
Old Feb 22, 2014, 02:57 PM   #21
petsounds
macrumors 6502a
 
Join Date: Jun 2007
Quote:
Originally Posted by locoboi187 View Post
Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.
So let's say you're taking your Macbook Air to a new coffee shop named Carl's. There's a hotspot that says "Carl's Free Wifi" so you connect. Except you've just connected to someone's computer pretending to be a wifi router. With special software, this person can forward on your data, so it looks like you're connected to a legit hotspot. But this person can inspect any data you send and grab emails, passwords, credit card numbers, whatever. They can also modify the data sent back to you and send exploits to gain access to your computer.

Now, with SSL (https), the data sent to websites is encrypted and the person can't see it. But in this case the connection is not verified and the person can pretend to be the website. Thus, the person can still see everything.
petsounds is offline   0 Reply With Quote
Old Feb 22, 2014, 02:58 PM   #22
sshhoott
macrumors 6502
 
Join Date: Feb 2010
That's why I use Chrome, which gets security updates after every few weeks.
sshhoott is offline   0 Reply With Quote
Old Feb 22, 2014, 03:00 PM   #23
petsounds
macrumors 6502a
 
Join Date: Jun 2007
Quote:
Originally Posted by sshhoott View Post
That's why I use Chrome, which gets security updates after every few weeks.
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
petsounds is offline   7 Reply With Quote
Old Feb 22, 2014, 03:01 PM   #24
MahBoi
Banned
 
Join Date: Feb 2014
Wait, so now I have to upgrade my iPhone and rejailbreak it. Aaaaghhhhhhh!
MahBoi is offline   1 Reply With Quote
Old Feb 22, 2014, 03:01 PM   #25
Retired Cat
macrumors 6502a
 
Join Date: Jun 2013
OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

Quote:
Originally Posted by MonstaMash View Post
So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.

I have another question related to this:

Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

My home router is only used by myself and family members. If I am fairly sure that my personal router is secure, was I safe? I use only my home WiFi and mobile phone service provider to connect to the Internet. I've never used any WiFi hotspots.
Retired Cat is online now   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
separate update for ssl bug 10.9.1 ? anonymous4a OS X Mavericks (10.9) 5 Mar 29, 2014 06:07 PM
ios 7 App Update Bug CHMK iOS 7 7 Dec 22, 2013 11:35 PM
iPhone: Is Facebook Push Notification Bug Solved in Apple IOS 6.1 update varunmaini2011 iOS 6 22 Feb 20, 2013 04:46 PM
MacBook Pro got problems after patched 2.0 update Leslie.Hon MacBook Pro 0 Nov 11, 2012 05:59 PM
Podcasts iOS App to Receive Bug Fix Update Later Today [Update: It's Out] MacRumors MacRumors.com News Discussion 111 Aug 10, 2012 12:52 PM

Forum Jump

All times are GMT -5. The time now is 03:34 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC