This article originally appeared in TidBITS on 2014-02-24 at 6:33 a.m.
The permanent URL for this article is: http://tidbits.com/article/14537
Include images: Off

Apple Updates iOS and Apple TV to Fix Critical SSL Security Bug

by Josh Centers

Apple has released iOS 7.0.6 [1], iOS 6.1.6 [2] (for the iPhone 3GS and fourth-generation iPod touch only), and Apple TV 6.0.2 [3], which you should update to immediately, as they fix a critical SSL/TLS vulnerability that could make it possible for your online accounts and financial information to be compromised. On iOS, you can download the updates in Settings > General > Software Update or update through iTunes. (Unfortunately, if you have resisted upgrading to iOS 7 on a device that otherwise supports it, there’s no way to close the vulnerability — short of jailbreaking — without going all the way to iOS 7.0.6.) On the Apple TV, download the update in Settings > General > Software Updates > Update Software.

[image link] [4]

The vulnerability also affects Mac OS X, which remains unpatched as of this writing, but Apple promises a fix [5] “very soon,” likely in OS X 10.9.2. In the meantime, we recommend avoiding the Safari Web browser, and instead using Google Chrome or Firefox, which are unaffected by the bug. You can check whether your browser is vulnerable by visiting this test site [6]. Other Mac apps remain vulnerable until a general fix is released, and, if possible, it would be best to avoid unsecured public Wi-Fi networks as well, though the likelihood of significant exploits that take advantage of this vulnerability becoming widespread before Apple releases a fix are low.

The problem in SSL/TLS [7] revolves around Apple’s code not checking signatures in TLS Server Key Exchange messages, which could allow an attacker to use a man-in-the-middle attack [8] to spoof an SSL server.

Security analysts have determined that the vulnerability was caused by a misplaced “goto fail” line [9] in the operating system source code. Developer Jeffrey Grossman has confirmed [10] that the vulnerability began in iOS 6.0, but did not exist in iOS 5.1.1, giving it a nearly 18-month history.

John Gruber of Daring Fireball cross-referenced the release date of iOS 6.0, 24 September 2012, with a leaked PowerPoint deck on the NSA’s PRISM program, which states that Apple was added to the program in October 2012. While Gruber says that the proximity between these dates is most likely a coincidence [11], the NSA has been known to subvert the effectiveness of online security [12].

[1]: http://support.apple.com/kb/HT6147
[2]: http://support.apple.com/kb/HT6146
[3]: http://support.apple.com/kb/HT6148
[4]: http://tidbits.com/resources/2014-02/iOS-706.png
[5]: http://www.reuters.com/article/2014/02/22/apple-encryption-idUSL2N0LR0GW20140222
[6]: https://gotofail.com/
[7]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266
[8]: http://en.wikipedia.org/wiki/Man_in_the_middle_attack
[9]: http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/
[10]: https://twitter.com/Jeffrey903/status/437273379855667201
[11]: http://daringfireball.net/2014/02/apple_prism
[12]: http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption