Apple Releases Security Critical iOS SSL Vulnerability Patch – OS X Mavericks Still Unpatched

| Posted on |

A serious SSL connection verification security vulnerability has been identified in both OS X and the iOS. On Friday, Apple released an iOS 7.0.6 update to address the issue in iOS 7, but will leave Mavericks unpatched until the OS X 10.9.2 update is ready, rumored to be around March 15.

A website called gotofail.com has posted a test page that can be used to check the vulnerability to the so-called “C code bug” allowing you to check to see whether your web browser(s) running on OS X 10.9.1 are vulnerable. The test site checks whether your browser verifies the signature on the ServerKeyExchange SSL/TLS message. The test page URL is:
https://gotofail.com

I ran it on Safari and Chrome on my then unupdated to 7.0.6 iPad.

With Chrome I got this reassuring affirmation:

“Your browser aborted loading the test image upon seeing an invalid ServerKeyExchange message.

“This means your browser is not vulnerable to the bug, however if you’re on an Apple device make sure you test Safari.”

I proceeded to check Safari, and was informed:

“YOUR BROWSER IS VULNERABLE, PATCH IMMEDIATELY!

“An attacker able to actively intercept your network connections (this is possible on most WiFi networks) can freely snoop on you, for example when you log into your bank account. Please check your browser and operating system for security updates and apply them right away. Other apps you have installed probably use the same SSL library and are also vulnerable – simply switching browsers will not fully protect you.

“This site works by using javascript to inject a hidden image with event hooks to show the appropriate message depending on whether the image loads successfully. The image is hosted on a web server which has been modified to make its ServerKeyExchange message signatures invalid. The invalid signature will cause the connection to abort when the signature is checked, provided that the signature is actually verified.”


If that sounds worrisome for the interval until OS X Mavericks gets officially patched by Apple, the German site i0n1c has posted a third party patch for OS X, which I haven’t tried, but you can check it out at:
http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.html

I am now updating my iPad as I post this article.

The i0n1c site says:

“Because Apple decided to just release updates for iOS and leave OSX Mavericks users vulnerable over a weekend, we have looked into this issue and created a little binary patch that fixes this vulnerability by re-adding the removed code.

“This is of course just a quick and dirty solution to test the impact of this vulnerability. You should not attempt to run this on production systems. And don’t forget that we only patch the 64bit version of the Security.framework. If your code is 32bit you have to port the fix to 32bit.”

Apple’s iOS 7.0.6 securuty update supports iPhone 4 and later, iPod touch (5th generation), and iPad 2 and later, and can be downloaded and installed via iTunes.

For more information, visit:
http://support.apple.com/kb/DL1723

For information on the security content of this update, visit this website:
http://support.apple.com/kb/HT1222

Yet more info can be found at:
https://www.imperialviolet.org/2014/02/22/applebug.html
and
http://www.imore.com/understanding-apples-ssl-tls-bug

Some of the links above are affiliate links to the retailer's site. That means we may earn a small commission from any sales (Thank you!).


Boost Infinite
Apple Store