check for security flaw in OS X and iOS

Update: Mavericks users can now update to 10.9.2 which fixes the flaw. 🙂

News is just breaking of a flaw in Apple’s implementation of SSL security, which could affect anyone using iOS and 10.9 OSX over public/open access wifi ‘hotspots’.

If you’re using iOS, please ensure you do Software Update immediately as a patch has already been released by Apple.

No word from Apple on OS X at time of writing. You can test to see if you have the problem by clicking the following link. Basically, if SSL is working properly you shouldn’t be able to read the message on this page:

If you can read the message on that website from your Mac computer, the best advice to date is to stay off public/open access wifi networks until we hear something more from Apple.

Ars Technica have more information on the security flaw here.


About philastokes

Independent Software Developer, Technical Writer and Researcher at SentinelOne. Explaining the unexplainable with images, video and text. Scripting anything imaginable in AppleScript, Bash, Python and Swift.

Posted on February 23, 2014, in Mavericks, Security and tagged , , , . Bookmark the permalink. 6 Comments.

  1. We have not “upgraded” to iOS 7 due to the apparently unsolved battery drain problem. And until that problem is solved, we should be allowed to apply the 6.1.6 patch Apple has issued for older devices, e.g. iPhone 3S. Do you know of a way to get feedback directly to Apple re: the necessity of allowing users of current devices, e.g. iPhone 4S & 5, running iOS 6 to apply the 6.1.6 patch they have issued for older devices?

  2. There’s an awful lot of media FUD on this. Important to note that there is no known threat at this time, so it’s just a simple (though serious) vulnerability, just like the dozens found in Flash and Java and Microsoft products every week.

    For those able to update to iOS 6.1.6 and iOS 7.0.6 and Apple TV 6.0.2, you should not wait. Now that details of the vulnerability have been so widely publicized, it won’t take long for malware developers to take advantage of it.

    Somebody has already developed a patch for Mavericks, so it shouldn’t be much longer before Apple takes care of that hole.

    Then the only ones at risk without a solution are iOS users that cannot upgrade their older iDevice.

    • Thanks Al.

      I’m no expert on security issues, but I’m not sure I agree that there’s “no known threat”.

      As I understand it, it’s a general flaw rather than a specific threat. The coding flaw allows man-in-the-middle attacks from anyone on the same network; that’s a real vulnerability to anyone if they are being targeted. It could also be a threat to anyone on a public network if the owner of the network is untrustworthy or someone else on the network is sniffing for vulnerable users. The latter is a trick wannabe-hackers might pull on open access coffee shop hotspots, for example.

      Here’s a bit more from the Ars Technica article:

      The flaw, according to researchers, causes most iOS and Mac applications to skip a crucial verification check that’s supposed to happen when many transport layer security (TLS) and secure sockets layer (SSL) connections are being negotiated. Specifically, affected apps fail to check that the ephemeral public key presented by servers offering Diffie Hellman-supported encryption is actually signed by the site’s private key. Attackers with the ability to monitor the connection between the end-user and the server can exploit this failure to completely decrypt and manipulate the traffic by presenting the app with a counterfeit key.

      • In general, there are three steps to the production of malware:
        Recognition of a vulnerability
        Development of an Exploit (often a “Proof-of-Concept”)
        Development of a “Threat” which can take advantage of the vulnerability by using an exploit to impact the OS or it’s applications in an undesirable manner, usually for gain.

        In this case, attackers will need to come up with a counterfeit key (possibly trivial) and then start harvesting information that would be worthwhile later on (e.g. credit card information).

        As I said before, flaws are found every day, but Threats have been rare in the OS X / iOS world too date. Apple has usually been pretty good at keeping the Flaws out of the press until they have a fix, but for whatever reason this one is making headlines.

        • As I said before, flaws are found every day…whatever reason this one is making headlines.

          Sure, but mostly they’re theoretical, or apply to specific hardware or software configurations or are so technical that very few people could execute them. Flaws in SSL are certainly not found everyday, and SSL is used by almost every device on the internet. Apple’s own security notice describes the flaw as:

          An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

          All that seems to me to be a very different thing from most vulnerability warnings.

%d bloggers like this: