Update 02/25: Apple has issued a fix in OS X in today’s release of 10.9.2. Please go to the Mac App Store on Your Mac and download it IMMEDIATELY. Details can be found here.
On Friday, February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6) to patch a gaping security hole that leaves ALL iPhones, iPads, and iPods completely vulnerable to having secure communication intercepted. That means if you’ve been accessing your bank, email, or anything else sensitive through a Web interface using Safari or several other Apple apps – you have been susceptible to having your sensitive data intercepted.
Check Your System for Apple’s SSL Vulnerability
You can quickly check any system by visiting: https://gotofail.com. If your system is vulnerable it will report back like this:
You can check in Google Chrome as well as Apple Safari browsers to verify that the Google browser is not vulnerable.
iOS SSL Vulnerability
For iOS devices, Apple identifies the issue in this support post, which states:
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
An update is available for all iOS users, and you can install it by opening the SETTINGS, GENERAL, UPDATES on your iOS device and manually choosing to search for and then update your OS. This is something ALL users should do immediately!
Mac OSX SSL Vulnerability
Unfortunately, for Mac OSX users, there is currently NO fix for Safari, Mail, and other native Mac apps. Therefore, you should NOT access ANY Secure sites using those applications until a patch is released.
The Chrome browser is not affected by this security breach, so I would recommend downloading and using that Web browser, at least until the security hole has been patched – if not indefinitely.
How it Happened
Technically speaking, the actual error occurred in some open-source security code. Something as simple as an error in copy & paste. A discussion of the likely hole can be found here.
The failure occurs between lines 50 and 60:
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
The instance where there is an extra
goto fail; is enough to break things. And no one actually knows how long this vulnerability has been present.
Third Party Verification of Apple’s SSL Vulnerability
Whenever a vulnerability as big as this one is reported, it is important to double and triple check sources before taking action, to ensure that you are not being led to actually create a hole where there was none through the use of Fear, Uncertainty and Doubt.
For this reason, here are links to other sites reporting the same story so you can validate the threat:
Please update your iOS immediately via the built in update method, and keep an eye out for Apple to release an OSX update very soon.