On Friday Apple released an iOS update for its mobile devices. iOS 7.0.6 and 6.1.6 were targeted as security fixes and as those who investigate these things have discovered they plugged a pretty serious hole. So much so that warnings of “install the patch now” should not be ignored. To put it another way, until the update iOS users have been walking down the street with their flies open. To put it in a different context, the same hole still exists in OSX Mavericks. Apple promises to have a fix for that “very soon.”
Here’s the rub. The security hole looks like it was an example of bad programming and embarrassingly so. As Wired explains it, there was a simple duplicate GoTo command written that effectively bypassed the code that effected the SSL encryption security check, essentially rendering that process moot. In other words sensitive information sent via an affected device, such as credit card numbers, passwords, etc… were available for hackers or the NSA to observe or alter.
Given that this bad code apparently has been around since iOS 6.1.5 and OSX 10.9.0, the bug theoretically could have exposed quite a few to malicious conduct. Without the security check, any device with the bug operating on an open network, such as at coffee shop, or other public WiFi location was vulnerable. The news surrounding this bug has been bubbling since the release of the update and has generated a hashtag #gotofail along with speculation that this might be a way that the NSA backdoored itself into iOS.
Users should update any iOS devices as soon as possible, preferably over a non public WiFi source. Until a fix is issued for OSX Mavericks, those users should avoid using public WiFi connections. Ars Technica also has information on this developing story along with a link to a test page created by Google engineer Adam Langley to see if your device is vulnerable. Using that test link on a completely patched MacBook Pro 13 tethered to a newly patched iPad Air connected via AT&T LTE, I received the following message:
If you can see this message then you are probably affected by CVE-2014-1266! See https://www.imperialviolet.org/2014/02/22/applebug.html for details and http://support.apple.com/kb/HT6147 for the iOS patch.
Test results are explained as follows:
Apps that are able to access the text without generating an error are presumed vulnerable. While Chrome is one of the few applications that isn’t susceptible to the attack, Langley said it wasn’t clear if the update mechanism for the Google browser is vulnerable. If so, it would mean that attackers may still be able to compromise Chrome users, at least in some cases. It’s unclear if Firefox is vulnerable to similar techniques, but until Mozilla representatives weigh in, readers should leave open that possibility as well.
Apple (and most other companies) typically don’t comment in detail about these kind of security issues, especially if a hole remains unpatched. I would imagine though we’ll be hearing about a patch relatively soon given the very open, and again, embarrassing simplicity of the error that led to this major security flaw.
Patch your devices and be careful out there.