Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.
According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.
This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.
Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."
Saturday August 10, 2024 5:00 am PDT by Tim Hardwick
Apple typically releases its new iPhone series in the fall, and a possible September 10 announcement date has been floated this year, which means we are just one month away from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design...
Apple's M3 MacBook Pro is seeing multiple high value discounts on Best Buy and Amazon today, with up to $1,000 off select models. This includes a new all-time low price on the entry-level M3 512GB 14-inch MacBook Pro at $1,299.00, down from $1,599.00, and a massive $1,000 discount on the high-end 16-inch model exclusively for Best Buy members. Note: MacRumors is an affiliate partner with Best...
Tuesday August 13, 2024 4:01 pm PDT by Juli Clover
Multiple rumors have suggested that the iPhone 16 models are going to have an all-new button that's designed to make it easier to capture photos when the devices are held in landscape mode. Apple calls the button the Capture Button internally, and it is going to be one of the most advanced buttons that's been introduced to date with support for multiple gestures and the ability to respond to ...
Apple is beta testing iOS 18 and the first update to iOS 18 concurrently, and we got the second betas of iOS 18.1, iPadOS 18.1, and macOS Sequoia 15.1 today alongside the sixth betas of iOS 18, iPadOS 18, and macOS Sequoia 15. Many of the changes in iOS 18.1 are focused on bringing the .1 betas in line with the standard betas, which recently received updates to Photos and Safari, while...
Thursday August 8, 2024 4:40 am PDT by Tim Hardwick
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
Apple's rumored iPhone 17 "Slim" could be positioned as an iPhone "Air" to boost sales, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman explained how the "fourth" model in the iPhone lineup since 2020 (the iPhone 12 mini, iPhone 13 mini, iPhone 14 Plus, and iPhone 15 Plus) has largely been a commercial failure. In the case of the Plus model,...
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.
That's why I use Chrome, which gets security updates after every few weeks. :)
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."
Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
