0 Shares Google+ 0 Twitter 0 Facebook 0 LinkedIn 0 Reddit 0 Pin It Share 0 Buffer 0 0 Shares ×

Apple SSL Vulnerability

Update 02/25: Apple has issued a fix in OS X in today’s release of 10.9.2. Please go to the Mac App Store on Your Mac and download it IMMEDIATELY. Details can be found here.

On Friday, February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6) to patch a gaping security hole that leaves ALL iPhones, iPads, and iPods completely vulnerable to having secure communication intercepted. That means if you’ve been accessing your bank, email, or anything else sensitive through a Web interface using Safari or several other Apple apps – you have been susceptible to having your sensitive data intercepted.

Check Your System for Apple’s SSL Vulnerability

You can quickly check any system by visiting: https://gotofail.com. If your system is vulnerable it will report back like this:
SSL Vulnerability

You can check in Google Chrome as well as Apple Safari browsers to verify that the Google browser is not vulnerable.

iOS SSL Vulnerability

For iOS devices, Apple identifies the issue in this support post, which states:

iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID

CVE-2014-1266

An update is available for all iOS users, and you can install it by opening the SETTINGS, GENERAL, UPDATES on your iOS device and manually choosing to search for and then update your OS. This is something ALL users should do immediately!

Mac OSX SSL Vulnerability

Unfortunately, for Mac OSX users, there is currently NO fix for Safari, Mail, and other native Mac apps. Therefore, you should NOT access ANY Secure sites using those applications until a patch is released.

The Chrome browser is not affected by this security breach, so I would recommend downloading and using that Web browser, at least until the security hole has been patched – if not indefinitely.

How it Happened

Technically speaking, the actual error occurred in some open-source security code. Something as simple as an error in copy & paste. A discussion of the likely hole can be found here.

Apple SSL Code Failure

The failure occurs between lines 50 and 60:

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;

The instance where there is an extra goto fail; is enough to break things. And no one actually knows how long this vulnerability has been present.

Third Party Verification of Apple’s SSL Vulnerability

Whenever a vulnerability as big as this one is reported, it is important to double and triple check sources before taking action, to ensure that you are not being led to actually create a hole where there was none through the use of Fear, Uncertainty and Doubt.

For this reason, here are links to other sites reporting the same story so you can validate the threat:

Please update your iOS immediately via the built in update method, and keep an eye out for Apple to release an OSX update very soon.

Connect With Us:
Our email robots can be trusted. Please add your name and email to get posts like these sent to your inbox
Email Frequency:

About The Author

Avatar of John P.
Host
Google+

John P. is CEO of Livid Lobster and co-host of Geek Beat TV. You can also find him on Twitter and Google+.

13 Responses

  1. Christian

    Hi John, I’m still using Snow Leopard (Mac OS X Version 10.6.8) and iOS 6.1.4. Does this problem also affect me? Thanks!

    • Avatar of John P.
      John P.

      As far as I understand, you should be Ok Christian. But check for any updates to the OS anyway, because you may have other vulnerabilities if you haven’t updated in a while.

      Cheers,

      John P.

  2. David Huff

    OK Apple, so what if I don’t wanna install a whole new release of OSX ? or if my Mac H/W won’t support OSX 10.9.x ? ::quizzical look::

    • David Huff

      OK, duh…nevermind. Only affects OSX 10.9. I’m up to date with security patches on my Macs running OSX Lion (current level 10.7.5 11G63) and the gotofail.com test website says I’m good.

  3. Nathan

    So the iOS 7.0.6 patch is only available for mobile devices so far? Figures. I just bought my first Mac this past week, after 20 years of Microsoft loyalty.

  4. David Wright

    Thanks John
    Keeping us updated with these developments is greatly appreciated.