OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 22, 2014.

  1. macrumors bot


    Apr 12, 2001

    Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

    In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

    According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
    The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

    It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

    Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

    Article Link: OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update
  2. macrumors 6502a

    Oct 3, 2012
    Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.
  3. macrumors Core


    Jan 4, 2002
    This article explains it fairly well.
  4. macrumors 68000


    Nov 3, 2010
    Bug is present in Safari in the latest build of 10.9.2 beta.

    Firefox is immune though.
    (I don't use Chrome so i didn't test that)
  5. macrumors 6502a


    Oct 26, 2007
    Here, there and everywhere
  6. macrumors 68000

    Mar 4, 2013
    I do use Chrome, and it's not vulnerable.
  7. Editor


    Staff Member

    Dec 7, 2012
    Chrome and Firefox don't use SecureTest and are thus not vulnerable, but many other apps and services do use it so even though a particular browser is not affected, a system on the whole is. That's why it's best to check with Safari -- it's bigger than just a browser vulnerability.
  8. macrumors 68020

    Cuban Missles

    Dec 6, 2012
    My heart is in Camagüey, the rest in the USA
    Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
  9. macrumors regular

    Oct 23, 2009
    I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? :( I can't find any news or info about the update.

    I'm using OS X 10.8.5
  10. macrumors 68000


    Oct 30, 2008
    Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this. But the router can, as can the ISP. You can protect yourself by using a VPN service, which will cloak your activities against this exploit to all attackers between you and your VPN server.


    If it was in the App Store, it's safe. Sounds like it was an update to the App Store application itself.
  11. macrumors 68040


    May 31, 2007
    Florida, USA
    I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
  12. macrumors 68020

    Aug 5, 2008
    San Jose, CA
    In public networks it is often possible for an attacker to use tricks to redirect traffic meant for another user to his own computer (e.g. ARP spoofing). So yes, the guy at the next table might be able to exploit this bug. Now that it is widely known, I would not recommend to use an unpatched iOS or Mac OS device on a Starbucks WLAN.
  13. macrumors 68040

    Feb 2, 2008
    Mountain Lion doesn't appear to have this bug.
  14. macrumors regular


    Dec 24, 2011
    It's actually very hard for the average Joe to perform this attack at Starbucks, as well as pretty much all common public wifi networks, such as McDonalds or airports. Most of these networks have layers that make it very difficult. Access to the router would be the easiest way.

    So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

    As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.
  15. macrumors 601

    Nov 12, 2007
    10.8.x isn't affected, only Mavericks is.
  16. macrumors 603


    Oct 5, 2008
    Just updated to 7.0.6 and rejailbroke my devices. Better safe than sorry.
  17. macrumors 6502


    Jan 26, 2014
    Horsens, Denmark
    Update son then

    If it uses the same algorithm for verification, surely Apple could just apply the same fix on OS X, that they applied on iOS.... Update coming soon guys
  18. MahBoi, Feb 22, 2014
    Last edited: Feb 22, 2014

    macrumors newbie

    Feb 20, 2014
    The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly. EDIT: I maybe meant "certificate not verified".
  19. macrumors G5


    Nov 14, 2011
  20. macrumors newbie

    Feb 20, 2014
    READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug :rolleyes: I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.
  21. macrumors 65816

    Jun 30, 2007
    So let's say you're taking your Macbook Air to a new coffee shop named Carl's. There's a hotspot that says "Carl's Free Wifi" so you connect. Except you've just connected to someone's computer pretending to be a wifi router. With special software, this person can forward on your data, so it looks like you're connected to a legit hotspot. But this person can inspect any data you send and grab emails, passwords, credit card numbers, whatever. They can also modify the data sent back to you and send exploits to gain access to your computer.

    Now, with SSL (https), the data sent to websites is encrypted and the person can't see it. But in this case the connection is not verified and the person can pretend to be the website. Thus, the person can still see everything.
  22. macrumors 6502


    Feb 6, 2010
    That's why I use Chrome, which gets security updates after every few weeks. :)
  23. macrumors 65816

    Jun 30, 2007
    This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
  24. macrumors newbie

    Feb 20, 2014
    Wait, so now I have to upgrade my iPhone and rejailbreak it. Aaaaghhhhhhh!
  25. macrumors 6502a

    Jun 12, 2013
    OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

    I have another question related to this:

    Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

    My home router is only used by myself and family members. If I am fairly sure that my personal router is secure, was I safe? I use only my home WiFi and mobile phone service provider to connect to the Internet. I've never used any WiFi hotspots.

Share This Page