Apple Releases iOS 7.0.6 With Fix for SSL Connection Verification

[Retired Cat]

Yes, all are quite possible. Any secure website could have been compromised by another site pretending to be another.



The precaution is to install 7.0.6, and as always, monitor all of your personal data for any abnormal activity.

Thanks. This makes me quite upset though, not knowing if my entire digital life has been compromised due to what appears to be a careless coding error :-(

 

[wintermute1]

iOS 7.0.6 Bricked my iPad Air ...

Luckily, I had auto backup to iCloud enabled. It only took 3 hours of my time to finally figure this out.

What a nightmare. iPhone 5S updated ok. iPad air - now restoring - slowly - from a backup from 6:10 pm last night.

Awful.

 

[SusanK]

I agree about iOS 7 perhaps not being fully ready for release when it came out, but that's pretty much unrelated to security issues which can and do exist all the time in practically all software, especially as complex as an OS, no matter how "final" it might actually be.

I think Mavericks readiness at release is questionable also. I'm chose not to use Mavericks so it presents no problem to me. My confidence in Apple is not what is was just two years ago.

I no longer update Apple software unless I have a reason to. To date that has not happened. Apple seems to be removing useful features (iWork, AU 6.x) in new releases.

Software with a significant security issue is more concern to me that the disappointing new featureless stuff. May be a good time for whoever runs the place to step back and reevaluate.

 

[C DM]

Thanks. This makes me quite upset though, not knowing if my entire digital life has been compromised due to what appears to be a careless coding error :-(

Look at any other security issues in Windows, Flash, Java, even OS X, and beyond like all kinds companies with our data getting hacked all the time. Unfortunately this kind of stuff isn't new and is almost to be expected, just the reality of complex and widely available software unfortunately.

 

[Retired Cat]

Look at any other security issues in Windows, Flash, Java, even OS X, and beyond like all kinds companies with our data getting hacked all the time. Unfortunately this kind of stuff isn't new and is almost to be expected, just the reality of complex and widely available software unfortunately.

I knew that Flash and Java were full of security problems, which is why I bought an iPhone instead of an Android. I thought Apple was more secure because they really talk about how their platform is more secure. Was it an illusion?

I don't see many alternatives though. Maybe instead of doubling down on secrecy, Tim Cook needs to double down on security.

 

[Reason077]

Don't feel bad. My wife's iPhone 5 has been crashing when the battery gets to around 20 to 40% and this was after upgrading to iOS 7

Yeah, my 5 also did this regularly with iOS 7. Not "crashing", but spontainiously shutting down when the battery was below 40%.

Seemed to happen most often when the phone was cold, eg when using it outside on a cold winters day.

The issue seems to be fixed in 7.1. Battery life seems better in general with 7.1 too.

 

[PNutts]

I thought Apple was more secure because they really talk about how their platform is more secure. Was it an illusion?

Not an illusion unless you are jailbroken.

 

[C DM]

I knew that Flash and Java were full of security problems, which is why I bought an iPhone instead of an Android. I thought Apple was more secure because they really talk about how their platform is more secure. Was it an illusion?

I don't see many alternatives though. Maybe instead of doubling down on secrecy, Tim Cook needs to double down on security.

Well, it's more secure (as we haven't seen as many security issues and updates as we do for other more popular and widespread software like Flash, Java, or Windows), but it doesn't mean that it's completely secure so at some point something will be surfacing and perhaps even more often as/if it becomes more popular and widespread.

 

[PNutts]

If the issue (still) exists in iOS 7.1 beta 5 it would be quite surprising for Apple not to release another beta update along with the public updates.

The test at the link above shows iOS 7.1 b5 is affected.

 

[Muk4r0]

"Told you so" !

Not only has there never been a x.x.6 update, but I've never seen them support previous iOS versions like this before. (iOS 6.1.5 and 6.1.6.)

Nice, Apple!

What better evidence that shows 7.0 wasn't really baked for new hardware release date, at least for iPads, this corporate maneuver hurt end user confidence and at the end of the day hurts credibility, it might give room for second thoughts that could translate into exodus ... Remember "vista" ?

 

[MacNut]

You seriously do. It addresses a very bad security flaw, which means secure web and email connections are not, in fact, secure at all. The fact that Apple bothered to update iOS 6 should tell you how serious it is.

There are also reports that OS X has the same bug, and it is not yet addressed there. Expect new Mac OS X patches very soon.

Apple should have made a bigger deal about this and not just a quite patch. This is a serious security flaw fix that every needs to download immediately.

----------

Is there a particular way to know where the issue exists or doesn't exist?

http://247wallst.com/consumer-elect...-low-key-approach-to-fix-major-security-flaw/

Apple Inc. (NASDAQ: AAPL) posted patches to its iOS mobile operating systems on Friday to fix a hole in iOS 6 and iOS 7 that would have allowed “an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS.” The secure transport layer “failed to validate the authenticity of the connection.” Apple has fixed the problem by “restoring missing validation steps.”

This is a pretty big deal. It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.

----------

What better evidence that shows 7.0 wasn't really baked for new hardware release date, at least for iPads, this corporate maneuver hurt end user confidence and at the end of the day hurts credibility, it might give room for second thoughts that could translate into exodus ... Remember "vista" ?

The problem was not that it wasn't ready but that they actually took out important code and didn't even realize they created a huge hole.

 

[AppleRobert]

This is far more dangerous than instability; it can result in loss of your secured personal and financial data. Given that the fix is to delete one single line of code, Apple would be quite foolish to wait on this.

Well millions will not update, millions don't even know what an IOS update is.

If it is so very important, Apple needs to force load it.

Thanks for spelling out the potential ramification, I loaded it a little while ago.

 

[DarkCole]

So you prefer living with a huge security problem so you can play a game? Really?

Does it really bother you enough to quote? Really?

 

[gaanee]

I am on 7.0.3 and when I check for updates it shows 7.0.4 not 7.0.6. Do I first need to update to 0.4 and then 0.6 and after updating does it preserve your settings - reduced motion, location services and such..?

 

[Rigby]

What are the security implications for everyone who has been using devices with this bug for several months?

Were all my passwords on iOS apps like Facebook and Twitter revealed?

Could someone have stolen credit card info from my iTunes account?

Possibly for the first, probably not for the latter.

Basically what this bug allows is "man in the middle" attacks. A determined attacker that is somehow able to intercept traffic to/from your device might slip you a compromised encryption key when one of your apps sets up an encrypted connection to a server on the Internet. The attacker would then be able to decrypt your traffic and possibly capture sensitive information as it is being transmitted. The risk is highest when using a public WIFI connection. It is not very high while using your cellular provider or home Internet.

My recommendation would be to change the most important passwords (primarily your email passwords, since a hacked email account can often be used to reset passwords on other accounts) and keep an eye on other accounts that you have accessed from your iOS devices.

 

[sbailey4]

One would think that the issue isn't present in iOS 7.1 beta 5, otherwise it would only be responsible and make sense to at least release beta 6 with the fix at the same time that this update was released.

Actually seems that 7.1 B5 is affected. Judging by the new test just posted on the front page. 7.0.6 passes 7.1 b5 fails. https://gotofail.com

 

[C DM]

Well millions will not update, millions don't even know what an IOS update is.

If it is so very important, Apple needs to force load it.

Thanks for spelling out the potential ramification, I loaded it a little while ago.

Just like any othe iOS update notification of it will be pushed to the users and it will even automatically get downloaded usually and most will end up installing it.

 

[sbailey4]

----------

Anyone know if the bugs patched by 7.0.6 exist in 7.1 beta 5? I only ask because I was running beta 5 up until I read about the 7.0.6 update and how it patched a serious security bug. Immediately downgraded to 7.0.6 in order to ensure that I was protected by the patch. Again, anyone know if the bug patched by 7.0.6 is present in 7.1 beta 5?

7.1 b5 seems to be affected too (See above)

 

[C DM]

Actually seems that 7.1 B5 is affected. Judging by the new test just posted on the front page. 7.0.6 passes 7.1 b5 fails. https://gotofail.com

Well that's not good. Why wouldn't Apple just release another beta update which is realistically easier than a whole public update that they did.

 

[sbailey4]

Well that's not good. Why wouldn't Apple just release another beta update which is realistically easier than a whole public update that they did.

Good point. Maybe Monday is release day I suppose maybe they view it as no one should be using the beta that may be affected by this flaw since its for "test " devices only. ?????

 

[C DM]

The test at the link above shows iOS 7.1 b5 is affected.

Doesn't make much sense on Apple's part not to release a beta update. Unless perhaps they are already deep in the process of having another update or even GM available sometime very soon (where this fix would be included) and it would have been a bit too disruptive to get just this out and then rework that other update all over.

 

[JonLa]

Here's the story in the UK's Guardian newspaper:

http://www.theguardian.com/technology/2014/feb/22/apple-ios-software-hacking-risk

Basically everyone on the fence should install this patch.

 

[C DM]

Good point. Maybe Monday is release day I suppose maybe they view it as no one should be using the beta that may be affected by this flaw since its for "test " devices only. ?????

Security issues really shouldn't be left unaddressed (for long) even in betas. Not a good practice. Hopefully an update is coming soon.

 

[Rigby]

Well that's not good. Why wouldn't Apple just release another beta update which is realistically easier than a whole public update that they did.

Beta versions are meant for testing, not for general use. It is obviously far more important to push the patch out for the release versions that are used by most people.

 

[C DM]

Beta versions are meant for testing, not for general use. It is obviously far more important to push the patch out for the release versions that are used by most people.

Clearly I didn't mean to push out the fix just to beta, but to beta as well as to the release versions given that patching a beta is generally an even simpler thing (unless perhaps they are close to being done with another build and would just put the patch there).