OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

[C DM]

I tried Mavericks, and all the ML bugs are still there and then some. You've been exposing your Mac to man-in-the-middle attacks up until… oh yeah it's not even patched yet… by running 10.9. The users patiently waiting on Mountain Lion can then just update to Mavericks once these things are patched. There is absolutely zero advantage in updating early.

Aside from potential security issues that might exist in ML but not in Mavericks--just because they aren't publicly known doesn't mean they don't exist or at the very least couldn't. So it's not like doing one is better than the ther necessarily.

 

[mm201]

I can't believe how any developer working on such an important module of the system can act this stupid and how this code could even pass the review. wherever software is developed these days, every change to the code is carefully reviewed by another developer using a specialized review software before allowing it to find it's way into the final code.

For those who'd like to know how this bug was introduced:

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
  goto fail;
  goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
  goto fail;

Source: http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c

adding the second "goto fail;" was more or less the only thing changed in that file, leading to "fail" no matter what the result of the if-statement is. for those who don't know about programming: this is a totally obvious mistake every beginner in programmer and especially the reviewer should be aware of. when reviewing changes to the code, you usually see both files side by side, in this case pointing out: "THIS IS THE ONLY LINE THAT CHANGED. PLEASE CHECK IT" and the reviewer should think something like "WTF IS THIS CRAP?".

This is a real shame. I wonder how developer and reviewer explained this to their line managers.

This looks more like a broken merge than anything. The patch containing the flaw would be titled along the lines of "merge branch JonyIveBleedingEyeballs4 into IOS7final" and would contain changes to 200-some-odd files, one of which contains the flaw. You can't blame the reviewer for missing it.

 

[TalulahRose]

Yes iOS 6 is affected as well.

----------

Clearly they released and iOS 6 update too so it wouldn't be out of line to allow those on iOS 6 still to be able to get it without having to upgrade to iOS 7.

Thanks for the response. When I try to update the only option I'm given is iOS 7. I think the iOS 6 update is only an option for people on the iPhone 3s which can't update to iOS 7.

 

[C DM]

Thanks for the response. When I try to update the only option I'm given is iOS 7. I think the iOS 6 update is only an option for people on the iPhone 3s which can't update to iOS 7.

Right, unfortunstely that appears to be the case.

 

[TalulahRose]

Right, unfortunstely that appears to be the case.

Well, that sucks. Thanks for forcing me into an OS that I REALLY don't like, Apple.

 

[SusanK]

Well the badge indicator on the Settings app would essentially be that notification, that a new update is available for the device.

Badge has been there for months. It was an early version of iOs 7. No reason to think there is a critical security flaw. I got the info from Fidelity's website.

 

[C DM]

Badge has been there for months. It was an early version of izOs 7. No reason to think there is a critical security flaw. I got the info from Fidelity's website.

The point is that there is an indicator to update, ignoring looking into it at least is a personal decision that isn't the fault of Apple really.

 

[SusanK]

The point is that there is an indicator to update, ignoring looking into it at least is a personal decision that isn't the fault of Apple really.

The update that was forced to my device is not 7.0.6.

Ironically twice on Friday I got the nag screen on my MBA to update to Mavericks. Bullet dodged

I will wait for a few. Apple is most likely in full damage control mode. Give them a chance to accommodate iOS 6 users. It's possible that a decision to provide parallel updates may be made. The patch is available. Withholding it is not reasonable.

The company needs time to patch OS X.

The iPad mini will stay at home on my passworded network for awhile.

----------

The point is that there is an indicator to update, ignoring looking into it at least is a personal decision that isn't the fault of Apple really.

The users did not write the faulty code.

 

[C DM]

The update that was forced to my device is not 7.0.6.

Ironically twice on Friday I got the nag screen on my MBA to update to Mavericks. Bullet dodged

I will wait for a few. Apple is most likely in full damage control mode. Give them a chance to accommodate iOS 6 users. It's possible that a decision to provide parallel updates may be made. The patch is available. Withholding it is not reasonable.

The company needs time to patch OS X.

The iPad mini will stay at home on my passworded network for awhile.

----------



The users did not write the faulty code.

But they chose to ignore the update when notified that one exists. The ignorance of it is not in the realm of what Apple can really be responsible for, that's what I'm saying. Of course the issue itself that needed to be patched and updated, that's on Apple.

 

[SusanK]

But they chose to ignore the update when notified that one exists. The ignorance of it is not in the realm of what Apple can really be responsible for, that's what I'm saying. Of course the issue itself that needed to be patched and updated, that's on Apple.

You are aware that this is my iPad? I am not making decisions for yours.

 

[stokeyite]

Mountain Lion not that great either

Just checked https://www.howsmyssl.com. Turns out that Mountain Lion's SSL is badly flawed too - but in a different way. Why haven't Apple fixed this? On second thoughts - wouldn't want the Mavericks fix.

 

[GregAndonian]

Just checked https://www.howsmyssl.com

For curiosity's sake I went to this site on my PC to see what the situation was like on the Windows side. Chrome and Firefox passed all six tests, and at the top it said my SSL client was "probably ok". IE passed every test except one- session ticket support- and at the top it said SSL was "improvable". It sounds like it IS a secure connection, but would be faster with session ticket support.

I'm on Windows 7 though, so not sure what things are like after the train wreck that happens just down the track...

Hopefully this gets patched real soon. I'm glad to know my iPad is ok now- though the fact that this went unknown for so long makes me wonder what else needs to be fixed...

 

[Reason077]

Its obviousness and clumsiness tends to support the theory that Gruber talks about today (Daring Fireball) that it was deliberately introduced for spying purposes.

Nonsense. If it were a deliberate bug, then why put the code into a public, open-source repository where everyone can see it?

I'm sure there are plenty of obscure flaws in SSL/TLS that the NSA/GCHQ can exploit anyway. No need for something as blatant and trivially exploited as this.

 

[genovelle]

[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


The bug, which has been detailed[/url] by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

I'm sure I am the only one on this site that finds it interesting that Google has time for their software engineers to dig into Apples code to find bugs but takes months to fix more dangerous bugs that allow android to be taken over.

 

[numlock]

here i was sure that apple was so serious about my privacy from the recent iads thread or does that only involve data that apple believes it owns instead of my data on my devices?

 

[Rogifan]

But they chose to ignore the update when notified that one exists. The ignorance of it is not in the realm of what Apple can really be responsible for, that's what I'm saying. Of course the issue itself that needed to be patched and updated, that's on Apple.

I guess the question is, if someone has a device capable of running iOS 7 but they're running iOS 6 instead should Apple update those phones with an iOS 6 patch? Apple obviously wants as many people on the latest and greatest software as possible. But there are people who just don't want to update. So does Apple swap out 7.0.6 update and replace it with 6.1.6 on those devices?

 

[numlock]

I guess the question is, if someone has a device capable of running iOS 7 but they're running iOS 6 instead should Apple update those phones with an iOS 6 patch? Apple obviously wants as many people on the latest and greatest software as possible. But there are people who just don't want to update. So does Apple swap out 7.0.6 update and replace it with 6.1.6 on those devices?

there can be reasons other than just "not wanting" to update.

then its the question of what is "capable". does that mean you can just install or that it runs at least better than the previous os.

a company that prides itself on customer support (although i got served with some real idiots the last two times i called) should respect the choices the users have made previously.

are patches not offered for devices that do not support ios7?

 

[Rogifan]

there can be reasons other than just "not wanting" to update.

then its the question of what is "capable". does that mean you can just install or that it runs at least better than the previous os.

a company that prides itself on customer support (although i got served with some real idiots the last two times i called) should respect the choices the users have made previously.

are patches not offered for devices that do not support ios7?

Yes there are patches for iOS 6 but only for those devices where iOS 7 isn't available. I'm just not sure logistically how it works. Does the iOS 7 update on the users phone get replaced by an iOS 6 update? And if that's installed does another iOS 7 update show up?

 

[George Knighton]

Just updated to 7.0.6 and rejailbroke my devices. Better safe than sorry.

Well, that answers my question about whether evasi0n still works!

Thank you.

 

[Jon-PDX]

Read this article to really understand it:
http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062

They explain why this bug is a very big deal.

Thanks for posting that link.

I still have a question...be kind as I don't fully understand how it all works.

It's my understanding that SSL encrypts the data between the browser and server. If my assumption is correct then does this bug remove the encryption if a "man in the middle" attack was to take place?

I'm assuming it does but we all know what can happen when we assume

Whoever replies to my question feel free to provide links if a reply will take things off topic.

Thanks,

Jon...

 

[Jon-PDX]

I almost forgot ....

In the article at gizmodo it says that this bug has been in iOS since ver 6.x which means September 2012.

Quote from twitter post.....
I have confirmed that the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0 /cc @markgurman
9:11am - 22 Feb 14

Thankfully our iPads do not leave the house but I do have a couple things turned on in iCloud (safari, calendar, reminders).

Obviously my iPhone does leave the house (also with same iCloud settings) but I do not connect to wifi with it when away from home. Should I still be concerned that passwords may have been compromised over the ATT network because of this issue?

Thanks,

Jon...

 

[sportsfan]

Why!!!

Why for every software update must BlueTooth be enabled if I have it turned off before the update?

 

[C DM]

Yes there are patches for iOS 6 but only for those devices where iOS 7 isn't available. I'm just not sure logistically how it works. Does the iOS 7 update on the users phone get replaced by an iOS 6 update? And if that's installed does another iOS 7 update show up?

All of that would seem reasonable if Apple truly wanted to make sure people get this important fix and didn't connect it to anything else (like upgrading to a whole new version of iOS which is unrelated and not necessary for this).

 

[sracer]

Yes there are patches for iOS 6 but only for those devices where iOS 7 isn't available. I'm just not sure logistically how it works. Does the iOS 7 update on the users phone get replaced by an iOS 6 update? And if that's installed does another iOS 7 update show up?

It doesn't need to be that complicated.

If a device is currently running iOS 6.x Apple offers to update it to 6.1.6
If a device is currently running iOS 6.1.6 Apple offers to update it to 7.0.6
If a device is currently running iOS 7.x Apple offers to update it 7.0.6

But that would require Apple to loosen their grip on trying to force upgrades to 7.x which is highly unlikely.

 

[MrGuder]

Does the iOS 7 update on the users phone get replaced by an iOS 6 update? And if that's installed does another iOS 7 update show up?

EXACTLY what I'm thinking....

What I am wondering is if you are still on iOS6 on your iphone 5 and you decide to update your software, do you just get the 7.0.6 update only or does it try to actually install the entire iOS7?

I ask because I'm still on iOS6 on iPhone 5 and it says I have only 1 update 7.0.6 the details below that say it's a fix for the SSL problem and the size is 1.2 GB. So maybe Apple is allowing iOS6 owners to just download this software and not the entire iOS7. We know the full iOS7 update is over 3 GB so maybe we can just update the SSL fix without having to install the entire iOS7.

Anyone try it?