“Apple recently released iOS 7.0.6 with an important security update for iPhone, iPad, iPod touch users – if you have an iOS device, you should install that update right away,” OS X Daily reports. “Though the 7.0.6 bug fix description was initially vague, further information we’ll detail below points to just how potentially serious the security issue is (or was) – basically, someone could intercept your data given the proper circumstances – and while the problem has been patched on the iOS side, the same security flaw exists for OS X for the time being.”
“To put it simply, an attacker could use this flaw to intercept data, like email, passwords, banking information, communications, basically anything, if the attacker is on the same network as you, or is otherwise able to get between your computer and a remote serverOS X Daily reports. “This is why it is so important to avoid untrusted networks, it greatly mitigates risk.”
3 Easy Tips to Help Protect a Mac from the SSL / TLS Security Flaw
• Avoid all untrusted network
• Check your web browser with GoToFail
• Be sure the trusted wi-fi network uses WPA2 security active
OS X Daily reports, “So, let’s summarize: iOS devices should update to iOS 7.0.6 or iOS 6.1.6 NOW, using a trusted network. iOS users should actively forget wi-fi networks they do not trust. No user of any device should join untrusted networks until they install the appropriate patch, and are probably better off avoiding untrusted networks in general. All Mac users should install the appropriate security update for OS X right away when it has been released (yes, we’ll post about it when it’s out). It’s not a guarantee, but by following that advice, you’re certainly better off than not.:
More details in the full article here.
“Researchers are warning that the flaw seems to affect Safari, rather than Chrome or Firefox, so switching browsers may offer a partial workaround for the vulnerability,” Andy Greenberg reports for Forbes. “I tested several browsers against a proof-of-concept demonstration of the bug recommended by several security researchers at GotoFail.com and found that Safari was in fact vulnerable to the attack, while Chrome and Firefox appeared to be unaffected. But the test shouldn’t be seen as definitive, and the impact of the flaw goes beyond browsers. Security researcher Ashkan Soltani has found that it may affect Apple’s Mail application as well, according to Ars Technica.”
“I’ve contacted Apple for comment, and I’ll update this post as soon as I hear from them. The company tells Reuters that it plans to release a second patch for OSX ‘very soon,'” Greenberg reports. “Until Apple releases a patch of its own, users should update their iOS devices to the latest version, users Chrome and Firefox rather than Safari, and try to avoid untrusted networks.”
Read more in the full article here.
[Thanks to MacDailyNews Readers “Fred Mertz” and “Lynn Weiler” for the heads up.]
For what it’s worth… OS 10.7.5 and 10.6.8 don’t have a problem with their respective versions of Safari.
the same security flaw exists for OS X for the time being
Everything I’m reading at a professional level point out that Mac OS X is NOT vulnerable. IOW: Everything I trust is telling me that this is merely a FUD RUMOR.
Nonetheless, better safe than sorry.
Oh and:
Notice how all these ‘Mac is vulnerable’ articles are so ignorant as to not point out that iOS 6 was vulnerable AND so was Apple TV OS 6. That’s why Apple release simultaneous updates to ALL THREE AT THE SAME TIME.
IOW: TechTardiness is rampant in modern tech journalism.
I have a far more detailed rant-and-a-half in response to the next MDN article about the ‘GotoFail’ rumors. Oh joy.
Derek,
Sorry, but this is definitely a problem if an attacker can get between you and an HTTPS server, which isn’t too hard if you are on an untrusted network. Check out the https://gotofail.com website – it is doing the same thing an attacker would: have your browser load https://gotofail.com and show as being secure, even though that server is actually bypassing providing the right secure certificate.
This is the real deal, and might even be the (a?) way the NSA was secretly claiming (leaked by Snowden) to be able to intercept iOS and Mac communications.
It seems like Apple uncovered this bug themselves while performing an audit, perhaps in response to the NSA program being disclosed.
So, this might be another one in the PRO column for Snowden’s whistleblowing: it helped Apple know to look for and fix this bug.
I just hope they patch Mac OS X soon, although I guess you’re less likely to be on an untrustworthy network with a Mac than with an iPhone/iPad.
Thanks for your write up. I checked out another test this morning over at:
https://www.imperialviolet.org
His test is at:
https://www.imperialviolet.org:1266
Safari 7 (10.9.1) failed the test. I run Little Snitch, which caught the call out. But the problem is evident.
I’ve been holding off writing a summary of the situation at my Mac-Security blog until I’m certain all the facts are clear. I have the sense that there are shoes to drop over this issue. But the fact that the bug is not evident in Safari 6 ‘seems’ to indicate that this wasn’t a mythical security hole being exploited by the NSA. I turned my paranoia setting down to ‘simmer’.
Joy of Tech NAILED the ‘Goto’ subject today. It’s nice to see acknowledgement of the problem out IRL, as opposed to whatever vacuum we have here. 😯
http://www.geekculture.com/joyoftech/index.html
The three tips listed are woefully inadequate.
Sometimes (as when traveling) it is impossible to avoid using untrusted networks. WPA2 will protect you from the guy in the chair over there at Starbucks but not against an Evil Barista running the pwned router, or a corrupt ISP. And checking your browser does nothing to help the dozens of processes in your computer that rely on OS-level SSL/TLS functionality.
There is a workaround that’s entirely effective: as detailed at http://unvexed.blogspot.com/2014/02/how-to-work-around-latest-man-in-middle.html you can utilize a VPN and tunnel right past the Evil Barista or corrupt ISP.
Not that I understand these things, but I ran the check in Safari on my iPad and both my phones, the Pad was clear, but both phones needed the update installed.
One done, t’other just verifying as I type this. Not that Safari gets used on the 4 very often, it’s my iPod and Shazam reader, mainly.
Running some tests against gotofail.com and it looks like
latest patches of 10.5, 10.6 and 10.7 are all ok.
latest patches on 10.9 and 10.8 are vulnerable.
So assuming the test on gotofail.com is actually testing this vulnerability, it is only Mountain Lion and Mavericks that have the problem.
My Safari (6.1.1) on latest Mountain Lion (10.8.5) is not vulnerable. But the Safari on Mavericks is.
I’m running Safari 6.0 on 10.8. Am I safe? I’d rather not upgrade to Mavericks yet.
Thanks!