Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,195
30,136



Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

ios6security.jpg
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

vulnerablebrowser.jpg
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

Article Link: OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update
 

locoboi187

macrumors 6502a
Oct 3, 2012
711
375
Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.
 

MacNut

macrumors Core
Jan 4, 2002
22,991
9,969
CT
Can someone explain this bug in detail and why is it important to the average user please?
This article explains it fairly well.
It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.
http://247wallst.com/consumer-elect...-low-key-approach-to-fix-major-security-flaw/
 

Kariya

macrumors 68000
Nov 3, 2010
1,820
10
Bug is present in Safari in the latest build of 10.9.2 beta.

Firefox is immune though.
(I don't use Chrome so i didn't test that)
 

jclo

Managing Editor
Staff member
Dec 7, 2012
1,968
4,296
I do use Chrome, and it's not vulnerable.

Chrome and Firefox don't use SecureTest and are thus not vulnerable, but many other apps and services do use it so even though a particular browser is not affected, a system on the whole is. That's why it's best to check with Safari -- it's bigger than just a browser vulnerability.
 

2457282

Suspended
Dec 6, 2012
3,327
3,015
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
 

Xe89

macrumors regular
Oct 23, 2009
119
0
I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? :( I can't find any news or info about the update.

I'm using OS X 10.8.5
 

sjinsjca

macrumors 68020
Oct 30, 2008
2,238
555
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.

Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this. But the router can, as can the ISP. You can protect yourself by using a VPN service, which will cloak your activities against this exploit to all attackers between you and your VPN server.

----------

I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? :( I can't find any news or info about the update.

I'm using OS X 10.8.5

If it was in the App Store, it's safe. Sounds like it was an update to the App Store application itself.
 

zorinlynx

macrumors G3
May 31, 2007
8,133
17,434
Florida, USA
I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.
 

Rigby

macrumors 603
Aug 5, 2008
6,209
10,148
San Jose, CA
Actually not. It seems the attacker has to be able to insert himself between you and a legitimate site, or he needs to impersonate a legitimate site. So, the guy a the next table in Starbucks can't attack you using this.
In public networks it is often possible for an attacker to use tricks to redirect traffic meant for another user to his own computer (e.g. ARP spoofing). So yes, the guy at the next table might be able to exploit this bug. Now that it is widely known, I would not recommend to use an unpatched iOS or Mac OS device on a Starbucks WLAN.
 

subsonix

macrumors 68040
Feb 2, 2008
3,551
79
I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.

Mountain Lion doesn't appear to have this bug.
 

MonstaMash

macrumors regular
Dec 24, 2011
205
82
Fixed all my iOS devices. Now need to tell my wife not to leave the house with her Mac Air until we get the OS X fix. I have to say this is the first I can remember such a glaring bug by Apple. Like all developers they have security issues, but most are a bit more obscure. This one seems like anyone could set up shop in a Starbucks and do some serious damage to people.
It's actually very hard for the average Joe to perform this attack at Starbucks, as well as pretty much all common public wifi networks, such as McDonalds or airports. Most of these networks have layers that make it very difficult. Access to the router would be the easiest way.

So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.
 

MikhailT

macrumors 601
Nov 12, 2007
4,582
1,325
I just installed an update that showed up in Mac App Store called "Mac App Store update 1.0". Was it a fake update, does someone own my computer now? :( I can't find any news or info about the update.

I'm using OS X 10.8.5

I hope both Mavericks and Mtn Lion get patched for this. There are likely machines still running Mountain Lion in enterprise environments where updates don't happen right away.

10.8.x isn't affected, only Mavericks is.
 

nfl46

macrumors G3
Oct 5, 2008
8,300
8,523
Just updated to 7.0.6 and rejailbroke my devices. Better safe than sorry.
 

casperes1996

macrumors 604
Jan 26, 2014
7,383
5,421
Horsens, Denmark
Update son then

If it uses the same algorithm for verification, surely Apple could just apply the same fix on OS X, that they applied on iOS.... Update coming soon guys
 

MahBoi

macrumors newbie
Feb 20, 2014
23
0
The other problem with SSL is that nobody ever cares about "certificate invalid" warnings since they seem to show up randomly. EDIT: I maybe meant "certificate not verified".
 
Last edited:

MahBoi

macrumors newbie
Feb 20, 2014
23
0
READ: Introduced in 10.9. I tested my Safari (running 10.8.5), and it's fine. Yet another Mavericks bug :rolleyes: I'll go laugh at my friend who thinks that Mavericks was a worthwhile upgrade.
 

petsounds

macrumors 65816
Jun 30, 2007
1,493
519
Can someone explain this bug in detail and why is it important to the average user please? It seems big enough where Apple had to update iOS 6 for the 3GS as well.

So let's say you're taking your Macbook Air to a new coffee shop named Carl's. There's a hotspot that says "Carl's Free Wifi" so you connect. Except you've just connected to someone's computer pretending to be a wifi router. With special software, this person can forward on your data, so it looks like you're connected to a legit hotspot. But this person can inspect any data you send and grab emails, passwords, credit card numbers, whatever. They can also modify the data sent back to you and send exploits to gain access to your computer.

Now, with SSL (https), the data sent to websites is encrypted and the person can't see it. But in this case the connection is not verified and the person can pretend to be the website. Thus, the person can still see everything.
 

petsounds

macrumors 65816
Jun 30, 2007
1,493
519
That's why I use Chrome, which gets security updates after every few weeks. :)

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
 

Retired Cat

macrumors 65816
Jun 12, 2013
1,210
380
OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

So, the easiest way attackers could execute this is if they set up their own network called FREE WIFI at public spots and tried to seek trusted credentials.

As long as the device is only connecting to trusted wifi networks, your wife will be fine. However, iOS 7.0.6 does of course block this hack going forward.


I have another question related to this:

Suppose I log into a service like Twitter. My info goes from my iPhone to my router to my ISP, and then is routed somehow to Twitter. Can anyone along this chain/path after my router use this exploit?

My home router is only used by myself and family members. If I am fairly sure that my personal router is secure, was I safe? I use only my home WiFi and mobile phone service provider to connect to the Internet. I've never used any WiFi hotspots.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.