OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[sracer]

What I am wondering is if you are still on iOS6 on your iphone 5 and you decide to update your software, do you just get the 7.0.6 update only or does it try to actually install the entire iOS7?

I ask because I'm still on iOS6 on iPhone 5 and it says I have only 1 update 7.0.6 the details below that say it's a fix for the SSL problem and the size is 1.2 GB. So maybe Apple is allowing iOS6 owners to just download this software and not the entire iOS7. We know the full iOS7 update is over 3 GB so maybe we can just update the SSL fix without having to install the entire iOS7.

Anyone try it?

It's the whole OS.

 

[Dorje Sylas]

**** **** **** **** Apple!

Where's my iOS 6.1.6 for iPads and similar devices!? ****!

Fine, you and your flat pastel spunk win! I give, "Uncle!"

For those wondering, yes, Apple is efficiently blacking mailing everyone who is using iOS6 on any device that isn't an iPod Touch 4 or iPhone 3GS to upgrade to iOS7. We don't have any other option.

 

[MrGuder]

But see that is not really fair...up to this point if I chose not to install iOS7 it was my decision or my option but because of this I no longer have any option. It's just not right.

 

[numlock]

Yes there are patches for iOS 6 but only for those devices where iOS 7 isn't available. I'm just not sure logistically how it works. Does the iOS 7 update on the users phone get replaced by an iOS 6 update? And if that's installed does another iOS 7 update show up?

you mean for an iphone 4 (on ios6 for instance)?

if thats what you mean then i can tell you it just gives you the 7.0.6 update in settings - software update.

happen to have an iphone 4 running 6.1.3 on my desk

 

[ItWasNotMe]

Very soon?

When you are least expecting it? or,
When everyone has forgotten what it was all about?

 

[Tech198]

Quick question: In much the same way this would affect all SSL internet sites, would it also affect logging into the App Store too ?

True, your not using Safari app, but you are still passing credentials over SSL.

This alone, you should still update ?

 

[Morod]

Apple is sure being quiet about this.
I'm still on SL 10.6.8, so I think I'm okay.

 

[Rigby]

Tools to easily exploit this bug are now available. A proof-of-concept by a security researcher:

http://corte.si/posts/security/cve-2014-1266.html

At least two exploit kits used by real blackhats have also been updated.

 

[pondosinatra]

Wow. What a useless article.

What versions of OS X are affected???

----------

Apple is sure being quiet about this.
I'm still on SL 10.6.8, so I think I'm okay.

Well that's my guess. In typical Apple fashion they probably broke what's been working for years when they introduced the newer OS's. But hey, iTunes sure looks pretty!

 

[C DM]

Wow. What a useless article.

What versions of OS X are affected???

----------



Well that's my guess. In typical Apple fashion they probably broke what's been working for years when they introduced the newer OS's. But hey, iTunes sure looks pretty!

Did you even read the article and the sources it links to?

 

[C DM]

Looks like OS X Mavericks has been patched with the release of 10.9.2: https://www.macrumors.com/2014/02/25/osx-update-ssl-facetime-audio/

 

[pondosinatra]

Did you even read the article and the sources it links to?

Yes. I'm looking for a bit more clarity than 'it may have been introduced in Mavericks'....

 

[C DM]

Yes. I'm looking for a bit more clarity than 'it may have been introduced in Mavericks'....

The clarity is that it doesn't exist in OS X before Mavericks, and the latest update to Mavericks (10.9.2) has patched it there too, so effectively it doesn't exist in OS X anymore.

 

[JPS127]

I still find that Mail, when it's a matter of Gmail, is very unreliable.

 

[munkery]

MITM attacks can defeat SSL even without this bug if the user doesn't manually verify the certificate credentials by looking at the organizations name attributed to the certificate. This can be done using ettercap in combination with SSLstrip and other programs for such activities.

Even then a cross site scripting vulnerability in a client side app, such as the browser, which are found all the time can allow SSL credentials to be compromised via the ever so common phishing emails.

Most users don't know how to adequately protect themselves from those types of compromises so the presence of this issue doesn't really make unknowledgeable users less secure anyway.

This doesn't mean that this issue shouldn't be treated seriously but it isn't the end of the world that the media is making it out to be.

 

[R4z3r]

Thanks for posting that link.

I still have a question...be kind as I don't fully understand how it all works.

It's my understanding that SSL encrypts the data between the browser and server. If my assumption is correct then does this bug remove the encryption if a "man in the middle" attack was to take place?

I'm assuming it does but we all know what can happen when we assume

Whoever replies to my question feel free to provide links if a reply will take things off topic.

Thanks,

Jon...

SSL Works like this:

This bug shows up in the "Here's my certificate" phase, as they can't check who issued the certificate. Meaning, a malicious individual could have sent it and be using the information. This could be man in the middle, though in that case it would probably make more sense just to read the traffic and get information.

 

[Jon-PDX]

Thanks for the flowchart (image) and the explanation. That helps a lot.

Jon…