Gaping Hole in Apple Device Security Affects ALL iOS and OSX Machines John P. February 23, 2014 News 13 Comments 0 Shares Google+ 0 Twitter 0 Facebook 0 LinkedIn 0 Reddit 0 Pin It Share 0 Buffer 0 0 Shares × Update 02/25: Apple has issued a fix in OS X in today’s release of 10.9.2. Please go to the Mac App Store on Your Mac and download it IMMEDIATELY. Details can be found here. On Friday, February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6) to patch a gaping security hole that leaves ALL iPhones, iPads, and iPods completely vulnerable to having secure communication intercepted. That means if you’ve been accessing your bank, email, or anything else sensitive through a Web interface using Safari or several other Apple apps – you have been susceptible to having your sensitive data intercepted. Check Your System for Apple’s SSL Vulnerability You can quickly check any system by visiting: https://gotofail.com. If your system is vulnerable it will report back like this: You can check in Google Chrome as well as Apple Safari browsers to verify that the Google browser is not vulnerable. iOS SSL Vulnerability For iOS devices, Apple identifies the issue in this support post, which states: iOS 7.0.6 Data Security Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. CVE-ID CVE-2014-1266 An update is available for all iOS users, and you can install it by opening the SETTINGS, GENERAL, UPDATES on your iOS device and manually choosing to search for and then update your OS. This is something ALL users should do immediately! Mac OSX SSL Vulnerability Unfortunately, for Mac OSX users, there is currently NO fix for Safari, Mail, and other native Mac apps. Therefore, you should NOT access ANY Secure sites using those applications until a patch is released. The Chrome browser is not affected by this security breach, so I would recommend downloading and using that Web browser, at least until the security hole has been patched – if not indefinitely. How it Happened Technically speaking, the actual error occurred in some open-source security code. Something as simple as an error in copy & paste. A discussion of the likely hole can be found here. The failure occurs between lines 50 and 60: if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; The instance where there is an extra goto fail; is enough to break things. And no one actually knows how long this vulnerability has been present. Third Party Verification of Apple’s SSL Vulnerability Whenever a vulnerability as big as this one is reported, it is important to double and triple check sources before taking action, to ensure that you are not being led to actually create a hole where there was none through the use of Fear, Uncertainty and Doubt. For this reason, here are links to other sites reporting the same story so you can validate the threat: Crowdstrike.com Reuters The Register Imperial Violet Sektioneins Please update your iOS immediately via the built in update method, and keep an eye out for Apple to release an OSX update very soon. 0 Shares Google+ 0 Twitter 0 Facebook 0 LinkedIn 0 Reddit 0 Pin It Share 0 Buffer 0 0 Shares × 13 Responses Christian March 5, 2014 Hi John, I’m still using Snow Leopard (Mac OS X Version 10.6.8) and iOS 6.1.4. Does this problem also affect me? Thanks! John P. March 5, 2014 As far as I understand, you should be Ok Christian. But check for any updates to the OS anyway, because you may have other vulnerabilities if you haven’t updated in a while. Cheers, John P. David Huff February 25, 2014 OK Apple, so what if I don’t wanna install a whole new release of OSX ? or if my Mac H/W won’t support OSX 10.9.x ? ::quizzical look:: David Huff February 26, 2014 OK, duh…nevermind. Only affects OSX 10.9. I’m up to date with security patches on my Macs running OSX Lion (current level 10.7.5 11G63) and the gotofail.com test website says I’m good. Nathan February 23, 2014 So the iOS 7.0.6 patch is only available for mobile devices so far? Figures. I just bought my first Mac this past week, after 20 years of Microsoft loyalty. John P. February 23, 2014 For now, just make sure and download and use Google Chrome for any secure websites… mmstick February 24, 2014 Format Mac OSX and install Ubuntu 14.04 on it — problem solved. Nathan February 24, 2014 Is Firefox also exempt from the security holes? John P. February 24, 2014 I have HEARD that it is, but not verified… John P. David Wright February 23, 2014 Thanks John Keeping us updated with these developments is greatly appreciated. John P. February 23, 2014 Thanks David. Just doing my job. John P.