If you are running iOS 6 and iOS 7, update now!
This week, Apple released security updates to fix a SSL / TLS vulnerability, caused by double goto fail statement. Some versions of OS X are also affected.
iOS 7.0.6 and iOS 6.1.6 were released on Friday February 21, 2014 to fix encryption validation problem that could be used for MITM (man in the middle) attacks. Apple notes for the security update CVE-2014-1266:
“Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS”
iOS 7.0.6 update fixed the problem for:
- iPhone 5s
- iPhone 5
- iPhone 4
- iPod touch (5th generation)
- iPad Air
- iPad 2 and later
iOS 6.1.6 update fixed the problem for:
- iPhone 3GS with iOS 6
- iPod touch (4th generation) with iOS 6
It’s nice to see Apple extending the security update to most iOS devices, including devices as old as the 2009 iPhone 3GS. In contrast, this Android mitm problem affects most Android users. And the sad reality is most Android users will not see a fix anytime soon, if ever.
How to Update iOS device
You should receive a notification about the update. To update manually, go to iOS device:
Settings > General > Software Update
Note: the above performs an over the air (OTA) update on the iOS device. The OTA update is much smaller than iTunes update, which needs to download the full 1GB+ iOS firmware. But OTA update is not for everyone – especially if you want to update jailbreaked iOS device.
What’s the double “goto fail” bug
Here’s a technical explanation of the Apple “goto fail” bug. Basically, there’s an extra line of code. The extra code affects security of certain type of encrypted communications.
To test it yourself, go https://www.imperialviolet.org:1266/. If you can load an HTTPS site on port 1266 then you have this bug. The bug does NOT affect:
- iOS devices that only enabled TLS 1.2
- iOS devices that only enabled RSA ciphersuites
- Apps that use NSS for SSL/TLS
In terms of OS X, 10.9.1 and 10.9.0 are confirmed vulnerable. Apple is likely to release a fix soon. Meanwhile, if you are on the affected versions, avoid using public WiFi and other untrusted / unsecured networks.
- OS X 10.8.5 is not affected
- OS X 10.7.5 is not affected
- OS X 10.6.8 is not affected
- Using OS X Mavericks? Update to 10.9.2 now!
- Apple releases iOS 7.0.3 update with iCloud Keychain, Reduce Motion setting
- Cydia “PDF Loading Warner” Helps Prevent iOS Security Hole Exploit
- Download: iOS 4.2 Firmware Update for iPad, iPhone, iPod touch
- Apple Posts iPad iOS 4.2 Update Features, Release Date