Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.
According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.
This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.
Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.
That's why I use Chrome, which gets security updates after every few weeks. :)
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."
Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
Friday December 1, 2023 12:19 pm PST by Joe Rossignol
iOS 17.2 has been in beta testing for over a month, and it should be released to all users in a few more weeks. The software update includes many new features and changes for iPhones, including the dozen that we have highlighted below. iOS 17.2 is expected to be released to the public in mid-December. To learn about even more features coming in the update, check out our full list. Journal ...
Wednesday December 6, 2023 5:06 am PST by Tim Hardwick
Unidentified governments are surveilling smartphone users by tracking push notifications that move through Google's and Apple's servers, a US senator warned on Wednesday (via Reuters). In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from the tech giants to track smartphones. The traffic flowing from apps that send push notifications...
Tuesday December 5, 2023 11:28 am PST by Juli Clover
Apple today released new firmware update for both the Lightning and USB-C versions of the AirPods Pro 2. The new firmware is version 6B34, up from the 6B32 firmware introduced in November. Apple does not provide details on what features might be included in the refreshed firmware beyond "bug fixes and other improvements," so it is unclear what's new in the update, but prior software releases ...
Wednesday December 6, 2023 2:03 am PST by Tim Hardwick
Apple's Korean suppliers have begun developing smartphone under-display cameras (UDC), paving the way for the first iPhone with a true "all-screen" appearance. According to The Elec, LG Innotek has entered the preliminary development of the UDC, which sits under the display and does not result in a visible hole in the panel when the camera is not in use. A UDC differs from a typical front ...
Tuesday December 5, 2023 11:04 am PST by Juli Clover
The iOS 17.2 update that Apple is set to release to the public in the near future will bring support for the next-generation Qi2 wireless charging standard to the iPhone 13 and iPhone 14 models. Qi2 was mentioned in the release notes for the RC version of the update that came out today. With the addition of support for the new standard, iPhone 13 and iPhone 14 models will work with Qi2...
Wednesday December 6, 2023 1:17 pm PST by Marko Zivkovic
Recently, MacRumors has received details on the battery currently being tested on the upcoming fourth-generation iPhone SE, and the information corroborates previous findings in relation to the device. The iPhone SE 4, known by its device identifier D59, is expected to use the exact same battery found in the base model iPhone 14. Partially assembled prototypes of the next iPhone SE have been ...
Today we're tracking a collection of deals that are matching - or nearly matching - the same all-time low discounts we saw during Black Friday. This includes the AirPods Pro 2 with USB-C, 9th generation iPad, and M1 MacBook Air. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the ...
Tuesday December 5, 2023 1:57 am PST by Tim Hardwick
Meta has revealed plans to end Instagram users' ability to chat with Facebook accounts later this month, rolling back a feature that it introduced over three years ago. In September 2020, Meta (then Facebook) announced it was merging its Facebook Messenger service with Instagram direct messaging, allowing Instagram users to chat with Facebook users and vice versa using the same platform....
Top Rated Comments
:apple:
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
Here's more:
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/