Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.
According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.
This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.
Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.
That's why I use Chrome, which gets security updates after every few weeks. :)
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."
Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
Tuesday December 12, 2023 10:20 am PST by Joe Rossignol
The first iOS 17.3 beta rolling out to developers today includes a new "Stolen Device Protection" feature that is designed to add an additional layer of security in the event someone has stolen your iPhone and also obtained the device's passcode. Earlier this year, The Wall Street Journal's Joanna Stern and Nicole Nguyen reported about instances of thieves spying on a victim's iPhone...
Tuesday December 12, 2023 1:57 am PST by Tim Hardwick
Apple has made available for download its major end-of-year iPhone software update, iOS 17.2, featuring a large number of features and changes that users have been anticipating for quite a while. Below, we've listed 33 new things that your iPhone can do once you've installed the update. Check Settings ➝ General ➝ Software Update on your device to get downloading. 1. Help You Keep a Daily ...
With the launch of the iPhone 15, Apple introduced design changes like a curved frame and a frosted glass back. Information acquired by MacRumors suggests that Apple's next-generation iPhone 16 will build on these updates with modifications to the buttons and the camera layout. We have details on early pre-production designs for the iPhone 16, including a look at the variants and hardware...
Tuesday December 12, 2023 1:47 pm PST by Juli Clover
Earlier this year, General Motors (GM) announced plans to phase out Apple's CarPlay and Android Auto in its future electric vehicles, with the company instead relying on an infotainment system co-developed with Google. This has not been a popular decision with iPhone users, and today, GM provided some additional insight into the decision in a discussion with MotorTrend. According to Tim...
Monday December 11, 2023 10:46 am PST by Joe Rossignol
While the iPhone 16 Pro and iPhone 16 Pro Max are still over nine months away from launching, there are already several rumors about the devices. Below, we have recapped new features and changes expected for the devices so far. These are some of the key changes rumored for the iPhone 16 Pro models as of December 2023:Larger displays: The iPhone 16 Pro and iPhone 16 Pro Max will be equipped...
Monday December 11, 2023 9:58 am PST by Juli Clover
Apple today released tvOS 17.2, the second major update to the tvOS 17 operating system that came out in September 2023. tvOS 17.2 comes more than a month after tvOS 17.1, an update that expanded the availability of the Enhanced Dialogue feature. tvOS 17.2 can be downloaded using the Settings app on the Apple TV. Go to System > Software Update to get the new software. Apple TV...
Wednesday December 13, 2023 3:21 pm PST by Juli Clover
When Apple releases new software, iOS updates tend to get most of the attention, and there are sometimes useful new features in Mac updates that go under the radar. That's the case with macOS Sonoma 14.2. It doesn't have flashy features like the Journal app that came in iOS 17.2, but there are a number of useful improvements that make it worth installing. Subscribe to the MacRumors YouTube ...
Top Rated Comments
:apple:
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
Here's more:
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/