« UNIX "ShellShock" Bug | Main | Apple Announces iPhone 5S and 5C »

Apple Releases SSL Vulnerability Fixes for OS X and iOS

On Friday afternoon (02/21/14), Apple released an update for iOS 7 and 6 for iPhones, iPods, iPads, and Apple TVs to fix a major problem with the integrity of SSL connections from those devices: a programming error caused Apple's SSL code to skip vital checks of a server's authenticity when establishing a "secure" connection.  Be sure to update your iOS devices immediately, either by going to Settings> Software Update> on the device, or plugging into your Mac and updating through iTunes.

Shortly after the news broke about the iOS security flaw, it was also discovered that the Mac OS was also vulnerable to the same bug, that has come to be known as "Gotofail". Apple releases an update last night that addresses this man-in-the-middle attack. Not just Safari, but any Mac application that relies on SSL authentication would be at risk, such as Twitter for Mac app, iMessage, FaceTime, and the Mail email client. This update also patches 32 other vulnerabilities. Update your Mac OS as soon as possible by running Software Update from your Mac Apple Menu. Along with the vulnerability patches in OS X 10.9.2, Apple also provided several non-security fixes to deal with reliability, stability and performance issues.

Users of Mac OS 10.7 ("Lion") and 10.8 ("Mountain Lion") are also at risk and should update their OS as well. Apple included patches for these operating systems that fixes four vulnerabilities in Safari 6, pushing the version number to 6.1.2.

More Details about the "gotofail" bug:
This means, for the last 18 or so months, when you've been sending emails, checking your bank account or using just about any secure online service on a public network (wired or wireless) an attacker could have been monitoring what you were doing and find ways to steal or subvert your data.

Although DesignCorp has always recommended not performing ANY sensitive online functions on an untrusted network.... with a bug like this, the type of online activity that puts you at risk expands well beyond just online financial transactions. Handshakes between services like Apple's iCloud or your Mail application and your mail servers were are risk. A hacker could have captured the SSL communication between your Messages app and Apple servers, or your Twitter account login. Even if you close this security hole now, your data could still be out there from past activity. 

DesignCorp strongly recommends, after running these updates, that you change all online passwords (like iCloud/iTunes Store/Apple IDs, financial institutions, email accounts, cloud data services like EverNote, DropBox, and online backup services).

Those of you who followed our advice and did little or NOTHING, on public networks, are much less at risk, but not immune to this bug. This lesson emphasizes that using your devices in public, even just for email or a FaceTime call, can be dangerous.