Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple Updates iOS and Apple TV to Fix Critical SSL Security Bug

Apple has released iOS 7.0.6, iOS 6.1.6 (for the iPhone 3GS and fourth-generation iPod touch only), and Apple TV 6.0.2, which you should update to immediately, as they fix a critical SSL/TLS vulnerability that could make it possible for your online accounts and financial information to be compromised. On iOS, you can download the updates in Settings > General > Software Update or update through iTunes. (Unfortunately, if you have resisted upgrading to iOS 7 on a device that otherwise supports it, there’s no way to close the vulnerability — short of jailbreaking — without going all the way to iOS 7.0.6.) On the Apple TV, download the update in Settings > General > Software Updates > Update Software.

The vulnerability also affects Mac OS X, which remains unpatched as of this writing, but Apple promises a fix “very soon,” likely in OS X 10.9.2. In the meantime, we recommend avoiding the Safari Web browser, and instead using Google Chrome or Firefox, which are unaffected by the bug. You can check whether your browser is vulnerable by visiting this test site. Other Mac apps remain vulnerable until a general fix is released, and, if possible, it would be best to avoid unsecured public Wi-Fi networks as well, though the likelihood of significant exploits that take advantage of this vulnerability becoming widespread before Apple releases a fix are low.

The problem in SSL/TLS revolves around Apple’s code not checking signatures in TLS Server Key Exchange messages, which could allow an attacker to use a man-in-the-middle attack to spoof an SSL server.

Security analysts have determined that the vulnerability was caused by a misplaced “goto fail” line in the operating system source code. Developer Jeffrey Grossman has confirmed that the vulnerability began in iOS 6.0, but did not exist in iOS 5.1.1, giving it a nearly 18-month history.

John Gruber of Daring Fireball cross-referenced the release date of iOS 6.0, 24 September 2012, with a leaked PowerPoint deck on the NSA’s PRISM program, which states that Apple was added to the program in October 2012. While Gruber says that the proximity between these dates is most likely a coincidence, the NSA has been known to subvert the effectiveness of online security.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Apple Updates iOS and Apple TV to Fix Critical SSL Security Bug
(Comments are closed.)

Dennis B. Swaney  2014-02-24 16:44
If Apple was really concerned they would release an update for ALL devices capable of running iOS 6. But no, they'd rather try to force people using iOS 6 to downgrade to the crappy iOS 7.
Kevin Kemball  2014-02-24 23:02
Early Saturday (Feb.22) morning I upgraded from iOS 6.1.5 to iOS 6.1.6 on a 4th gen iPod Touch. The badge was practically waving at me since there are so very few "alerts" on the 'Settings' panels.

Check the article text at a slower rate of speed...

The real "irritant", for lack of something more pithy, is that an OS X patch is not available at the same time.
Patching iOS and AppleTV is one thing but doing your daily banking is now a lot more iffy... ( should I-shouldn't I).
barefootguru  An apple icon for a TidBITS Contributor 2014-02-25 01:21
If you're doing the banking on a trusted network, e.g. home, then you should be fine. It's the public Wi-Fi networks where there's potential for intercepts.
Josh Centers  An apple icon for a TidBITS Staffer 2014-02-25 08:43
Hi Kevin, your banking should be safe as long as you use the Chrome or Firefox browsers. Safari is easy to avoid, but the bigger concern is other apps that use Apple's SSL/TLS implementations.
So just jailbreak it. That's what I will end up doing on my wife's phone. She and I have no interest in going to iOS 7 at this point, so that's the only solution.
Jeremy Hughes  2014-02-25 01:04
I'm running Safari 6.1.1 on Mac OS 10.8.5. The gotofail test site reports that this version of Safari is safe.
Adam Engst  An apple icon for a TidBITS Staffer 2014-02-25 05:22
Yes, it seems that the problem may affect only OS X 10.9 Mavericks, but we didn't want to say that without more confirmation than the gotofail test site. We'll know for sure once Apple releases a fix.
I noticed something unusual after the IOS 7.0.6 upgrade to my iPad, iPad Air, iPhone 4, and iPhone 5: the battery performance degraded significantly.

I believe I solved the problem. Bluetooth was turned on via the upgrade process on all four devices. I watched it on the last two device upgrades to confirm.

Does anyone know why Apple would force Bluetooth in Settings to be "On" after an IOS upgrade?

At least I found the cause to the battery life degradation. But it makes me wonder what other settings may have been forced from "Off" to "On" or vice versa.
barefootguru  An apple icon for a TidBITS Contributor 2014-03-01 12:13
Presumably it's a bug. It's been happening to our iThings intermittently every iOS 7.0.x upgrade.
d kaye  2014-02-27 12:31
Has anyone had a problem with iPhoto (9.2.3/10.6.8) after upgrading to IOS 7.0.6? Neither my wife's iPad Air or her iPhone 4 will upload photos anymore.