OS X Vulnerable to SSL Bug Patched in iOS 7.0.6 Update

Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.

ios6security
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.

According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.

To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.

vulnerablebrowser
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.

Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."

Related Forums: iOS 7, OS X Mavericks

Popular Stories

New Things Your iPhone Can Do in iOS 18

18 New Things Your iPhone Can Do in iOS 18.2

Wednesday November 27, 2024 5:05 am PST by
Apple is set to release iOS 18.2 in early December, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as...
iphone 16 pro models 1

12 Reasons to Wait for Next Year's iPhone 17

Friday November 29, 2024 5:17 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
iPhone 17 Pro Dual Tone Rectangle Feature 1

iPhone 17 Pro Already Rumored to Have These 8 New Features

Wednesday November 27, 2024 12:19 pm PST by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch for 10 more months, there are already plenty of rumors about the devices. An imaginative iPhone 17 Pro concept based on rumors Below, we recap key changes rumored for the iPhone 17 Pro models so far: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro ...
General Black Friday Deals 24 Blue Snowmen

The Best 50+ Black Friday Apple Deals Still Available on AirPods, iPads, MacBooks, and More

Thursday November 28, 2024 1:01 pm PST by
Black Friday 2024 is over, but you can still find great deals on numerous Apple devices this weekend. Right now, this includes big savings on AirPods, Apple Watch, MacBook Air, iPad, and more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Specifically, in...
maxresdefault

The MacRumors Show: iPhone 17 Designs Revealed!

Friday November 29, 2024 9:34 am PST by
On this week's episode of The MacRumors Show, we discuss the recently leaked design of the iPhone 17 "Air" and iPhone 17 Pro. Subscribe to The MacRumors Show YouTube channel for more videos Earlier this week, a report from The Information's Wayne Ma revealed that the iPhone 17 Air will have a thickness of between 5mm and 6mm, which would make it the thinnest iPhone ever. In comparison, iPhone ...
airpods pro 2 gradient

AirPods Pro 3 Expected Next Year: Here's What We Know

Thursday November 28, 2024 3:30 am PST by
Despite being released over two years ago, Apple's AirPods Pro 2 continue to dominate the wireless earbud market. However, with the AirPods Pro 3 expected to launch sometime in 2025, anyone thinking of buying Apple's premium earbuds may be wondering if the next generation is worth holding out for. Apart from their audio and noise-canceling performance, which are generally regarded as...
new streaming black friday

Cyber Monday Streaming Deals Include Big Savings on Disney+, Hulu, Paramount+, and Peacock

Friday November 29, 2024 5:38 am PST by
Black Friday is over, but you can still find great savings on streaming memberships this weekend as we head into Cyber Monday. Some of the biggest services have great discounts for new and select returning members, including Disney+, Hulu, Paramount+, and Peacock. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a...
Apple AI Command Center Concept Mock 3

Apple Expected to Launch This All-New Device Next Year

Wednesday November 27, 2024 1:05 pm PST by
Apple is expected to kick off 2025 by launching an all-new smart home hub, also referred to as a "command center," as early as March. The hub is expected to feature around a six-inch display that can be attached to a tabletop base with a speaker, or mounted on a wall. The device is said to run a new "homeOS" operating system with a customizable widget-focused home screen, and it is expected...

Top Rated Comments

Smacky Avatar
141 months ago
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.

:apple:
Score: 9 Votes (Like | Disagree)
petsounds Avatar
141 months ago
That's why I use Chrome, which gets security updates after every few weeks. :)

This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
Score: 7 Votes (Like | Disagree)
sixrom Avatar
141 months ago
when are they going to fix this?

The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.

Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.

Microsoft wouldn't allow this to go ignored as long as Apple has.

Here's more:
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/
Score: 6 Votes (Like | Disagree)
pierino84 Avatar
141 months ago
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
Score: 6 Votes (Like | Disagree)
lulumink Avatar
141 months ago
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
Score: 5 Votes (Like | Disagree)
sracer Avatar
141 months ago
I guess I needed to read more carefully:

"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."

Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
Score: 5 Votes (Like | Disagree)