OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 22, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

    [​IMG]
    In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

    According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
    The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

    [​IMG]
    It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

    Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

    Article Link: OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update
     
  2. macrumors 6502a

    Joined:
    Oct 3, 2012
    #2
    Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.
     
  3. macrumors Core

    MacNut

    Joined:
    Jan 4, 2002
    Location:
    CT
    #3
    This article explains it fairly well.
    http://247wallst.com/consumer-elect...-low-key-approach-to-fix-major-security-flaw/
     
  4. macrumors 68000

    Kariya

    Joined:
    Nov 3, 2010
    #4
    Bug is present in Safari in the latest build of 10.9.2 beta.

    Firefox is immune though.
    (I don't use Chrome so i didn't test that)
     
  5. macrumors 6502

    tarasis

    Joined:
    Oct 26, 2007
    Location:
    Here, there and everywhere
    #5
    It's def a recent fix, it's not in 7.1B5
     
  6. macrumors 68000

    Joined:
    Mar 4, 2013
    #6
    I do use Chrome, and it's not vulnerable.
     
  7. Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #7
    Chrome and Firefox don't use SecureTest and are thus not vulnerable, but many other apps and services do use it so even though a particular browser is not affected, a system on the whole is. That's why it's best to check with Safari -- it's bigger than just a browser vulnerability.
     
  8. macrumors 68000

    Cuban Missles

    Joined:
    Dec 6, 2012
    Location:
    My heart is in Camagüey, the rest in the USA
    #8
    Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
     
  9. macrumors regular

    Joined:
    Oct 23, 2009
    #9
    I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? :( I can't find any news or info about the update.

    I'm using OS X 10.8.5
     
  10. macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #10
    Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this. But the router can, as can the ISP. You can protect yourself by using a VPN service, which will cloak your activities against this exploit to all attackers between you and your VPN server.

    ----------

    If it was in the App Store, it's safe. Sounds like it was an update to the App Store application itself.
     
  11. macrumors 68030

    zorinlynx

    Joined:
    May 31, 2007
    Location:
    Florida, USA
    #11
    I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
     
  12. macrumors 68000

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #12
    In public networks it is often possible for an attacker to use tricks to redirect traffic meant for another user to his own computer (e.g. ARP spoofing). So yes, the guy at the next table might be able to exploit this bug. Now that it is widely known, I would not recommend to use an unpatched iOS or Mac OS device on a Starbucks WLAN.
     
  13. macrumors 68040

    Joined:
    Feb 2, 2008
    #13
    Mountain Lion doesn't appear to have this bug.
     
  14. macrumors regular

    MonstaMash

    Joined:
    Dec 24, 2011
    #14
    It's actually very hard for the average Joe to perform this attack at Starbucks, as well as pretty much all common public wifi networks, such as McDonalds or airports. Most of these networks have layers that make it very difficult. Access to the router would be the easiest way.

    So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

    As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.
     
  15. macrumors 601

    Joined:
    Nov 12, 2007
    #15
    10.8.x isn't affected, only Mavericks is.
     
  16. macrumors 603

    nfl46

    Joined:
    Oct 5, 2008
    #16
    Just updated to 7.0.6 and rejailbroke my devices. Better safe than sorry.
     
  17. macrumors 6502

    casperes1996

    Joined:
    Jan 26, 2014
    Location:
    Horsens, Denmark
    #17
    Update son then

    If it uses the same algorithm for verification, surely Apple could just apply the same fix on OS X, that they applied on iOS.... Update coming soon guys
     
  18. MahBoi, Feb 22, 2014
    Last edited: Feb 22, 2014

    macrumors newbie

    Joined:
    Feb 20, 2014
    #18
    The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly. EDIT: I maybe meant "certificate not verified".
     
  19. macrumors G5

    Rogifan

    Joined:
    Nov 14, 2011
    #19
  20. macrumors newbie

    Joined:
    Feb 20, 2014
    #20
    READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug :rolleyes: I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.
     
  21. macrumors 65816

    Joined:
    Jun 30, 2007
    #21
    So let's say you're taking your Macbook Air to a new coffee shop named Carl's. There's a hotspot that says "Carl's Free Wifi" so you connect. Except you've just connected to someone's computer pretending to be a wifi router. With special software, this person can forward on your data, so it looks like you're connected to a legit hotspot. But this person can inspect any data you send and grab emails, passwords, credit card numbers, whatever. They can also modify the data sent back to you and send exploits to gain access to your computer.

    Now, with SSL (https), the data sent to websites is encrypted and the person can't see it. But in this case the connection is not verified and the person can pretend to be the website. Thus, the person can still see everything.
     
  22. macrumors 6502

    sshhoott

    Joined:
    Feb 6, 2010
    #22
    That's why I use Chrome, which gets security updates after every few weeks. :)
     
  23. macrumors 65816

    Joined:
    Jun 30, 2007
    #23
    This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
     
  24. macrumors newbie

    Joined:
    Feb 20, 2014
    #24
    Wait, so now I have to upgrade my iPhone and rejailbreak it. Aaaaghhhhhhh!
     
  25. macrumors 6502a

    Joined:
    Jun 12, 2013
    #25
    OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update


    I have another question related to this:

    Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

    My home router is only used by myself and family members. If I am fairly sure that my personal router is secure, was I safe? I use only my home WiFi and mobile phone service provider to connect to the Internet. I've never used any WiFi hotspots.
     

Share This Page