iOS Update covers critical Apple iOS and OSX SSL vulnerability

Apple has released an iOS update for iOS6 and iOS7, the operating system used by iPhone and iPad devices.

Apple 7.0.6 UpdateDue to what looks like a programmers typo a serious flaw has been revealed in the way SSL connections are verified. This is no small thing as security bugs go, and Apple are undoubtedly highly embarrassed by its discovery. To protect yourself, you should install Apple’s iOS update your iPhone and iPad immediately.

The data you send and receive from secure services like your bank, webmail accounts, etc., could be intercepted “in flight” by a hacker. It would be easy to imagine how this vulnerability could be used to capture sensitive data or even inject malware to further infect your device. If you are in any doubt – this is serious!

The code that went wrong has been dubbed gotofail, due to the double entry of a code redirection statement – the technical details are on the ImperialViolet website.

The alternative web browser Opera app is not vulnerable to the gotofail bug.

OSX Still unpatched

GotoFail Bug RevealedMore worrying still is that a patch for OSX, Apple’s desktop operating system is still in the works. My Mavericks installation is currently vulnerable to this attack if I browse using Safari.

However, it would appear that Opera, Chrome and Firefox are not vulnerable to the gotofail vulnerability as they do not rely on Apple’s code.

Testing the vulnerability

A website at gotofail.com has been setup to test the proof of concept to see if your browser is vulnerable. Here are the results of opening the site on an unpatched iPhone 4S.

 

 

, , ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.