“Apple’s ‘Gotofail’ bug is a big deal because customers were exposed to risk for a long time,” Jonny Evans writes for Computerworld. “The only positive of this appalling oversight is that it illustrates why users of any platform should embrace the following security tips.”
“Apple released security updates for iOS 7 and iOS 6 last Friday following its discovery that: ‘An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,'” Evans writes. “What this means is that when you’ve been sending emails, checking your bank account or using most any online service on a shared network than an attacker can monitor what you do and find ways to steal or subvert your data.”
“The problem doesn’t affect iOS 5 devices, but OS X is affected, with Apple promising a fix ‘very soon,'” Evans writes. “It’s an appalling oversight (is it an oversight?), but even a big threat like this need not be a huge problem to Mac or iOS device users who follow these simple security tips.”
Read more in the full article here.
Related articles:
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014
…and let the conspiracy theories begin.:)
I’ve been seeing the conspiracy theories, aka the nefarious/treasonout NSA using this security hole to spy on Mac users.
Except, this security hole is very recent, only being present in very recent versions of Safari (and equivalent code in the Apple TV OS). It doesn’t exist in Safari 6, only Safari 7. Therefore, I’ve turned my paranoia setting down to ‘simmer’.
Use Windows 7 in Bootcamp.
Sadly, Apple prioritized iOS7 and left Mac users twisting in the wind.
For browsing you can use Chromium- the non Googlefied version of Chrome.
http://www.freesmug.org/chromium
Yes. Let’s all exchange one small bug that only affect SSL sessions and only with a man in the middle attack for the dozens of windows 7 holes and hundreds of attack vectors.
I ran the gotofail test on both Safari and Chrome. Safari failed and it has been temporarily removed from my dock, because it is too easy to click on. Chrome did not fail.
Apple does not have too long to fix the problem or I may become accustom to Chrome.
I’m sure we’ll all lose sleep over your decision.
“An attacker with a privileged network position.”
Yeah. You granted permission for some unknown hacker person to log onto your network. Or you were so stupid you worked critical proprietary stuff on a network where you didn’t know anybody. Duh!
Has anyone see anything published with even one user having his data compromised? The other operating system vulnerabilities numbers dwarf Apple’s. This is just more fodder for the idiot tech writers to get readership.
Not long ago Target had 40 million (later updated to more than 70 million) customer credit cards data compromised and it didn’t get this much press.
Yep.
Yes, and I just received notification from Forbes about needing a new password there. The beat goes on.
I just checked with the only other person of “privileged network position” (my wife) that has been on my network. She confirmed that she was not a hacker. I believed her.
Bah.
Just use 10.6.x Snow Leopard and Safari, and all is good — passed above mentioned test with no problems.
Niffy
Small Correction to one point in the story: Apple released iOS 6 security updates for iPhone 3GS and iPod Touch. If you have an iPhone 4 or later, you must install iOS7. If you wanted to stay with iOS 6 on an iPhone 4/4S, the iOS 6 security update is not available.
iOS 6 update IS coming.
Okay, so the problem I have with this article is the author is totally clueless. Except for the open public wifi. But still, you can hard code your DNS to avoid many of the man in the middle vectors.
Firefox passes the gotofail.com test.
I use Thunderbird, but apparently there’s no way to test whether it’s vulnerable.
Good informative read, Thank you so much for nice information….. For more details and iMac price in India…. click the link apvision.in imac price in india