That iOS 7.0.6 Update Plugs a Big (and Stupid) Security Hole

On Friday Apple released an iOS update for its mobile devices. iOS 7.0.6 and 6.1.6 were targeted as security fixes and as those who investigate these things have discovered they plugged a pretty serious hole. So much so that warnings of “install the patch now” should not be ignored. To put it another way, until the update iOS users have been walking down the street with their flies open. To put it in a different context, the same hole still exists in OSX Mavericks. Apple promises to have a fix for that “very soon.”

Here’s the rub. The security hole looks like it was an example of bad programming and embarrassingly so. As Wired explains it, there was a simple duplicate GoTo command written that effectively bypassed the code that effected the SSL encryption security check, essentially rendering that process moot. In other words sensitive information sent via an affected device, such as credit card numbers, passwords, etc… were available for hackers or the NSA to observe or alter.

Image via Wired

Image via Wired

Given that this bad code apparently has been around since iOS 6.1.5 and OSX 10.9.0, the bug theoretically could have exposed quite a few to malicious conduct. Without the security check, any device with the bug operating on an open network, such as at coffee shop, or other public WiFi location was vulnerable. The news surrounding this bug has been bubbling since the release of the update and has generated a hashtag #gotofail along with speculation that this might be a way that the NSA backdoored itself into iOS.

Users should update any iOS devices as soon as possible, preferably over a non public WiFi source. Until a fix is issued for OSX Mavericks, those users should avoid using public WiFi connections. Ars Technica also has information on this developing story along with a link to a test page created by Google engineer Adam Langley to see if your device is vulnerable. Using that test link on a completely patched MacBook Pro 13 tethered to a newly patched iPad Air connected via AT&T LTE, I received the following message:

If you can see this message then you are probably affected by CVE-2014-1266! See https://www.imperialviolet.org/2014/02/22/applebug.html for details and http://support.apple.com/kb/HT6147 for the iOS patch.

Advertisement

Test results are explained as follows:

Apps that are able to access the text without generating an error are presumed vulnerable. While Chrome is one of the few applications that isn’t susceptible to the attack, Langley said it wasn’t clear if the update mechanism for the Google browser is vulnerable. If so, it would mean that attackers may still be able to compromise Chrome users, at least in some cases. It’s unclear if Firefox is vulnerable to similar techniques, but until Mozilla representatives weigh in, readers should leave open that possibility as well.

Apple (and most other companies) typically don’t comment in detail about these kind of security issues, especially if a hole remains unpatched. I would imagine though we’ll be hearing about a patch relatively soon given the very open, and again, embarrassing simplicity of the error that led to this major security flaw.

Patch your devices and be careful out there.

Comments

  1. olcap says

    When I see the snowball of failures that has been building since the release of ios 6.0, I feel completely vindicated in deciding to not “upgrade” from ios 5.1.1, yet new apps sometimes target ios 6.0 or later. This causes me to scratch my head in wonder at why we as consumers allow these companies to continue to dump inferior software upon us, whenit is CLEARLY untested even at the most basic levels.

    A duplicate line of code? Seriously? This should have been caught immediately in regression testing, and it’s clear that proper regression testing was not done. I find this outrageous, yet it seems that most just complain but never actually do anything to pressure the companies to live up to their end of the agreement with their CUSTOMERS.

    Such disregard for customers these days is just off the charts. They don’t deserve our business the way they currently operate.

  2. mikemilstead says

    I updated my iPad to 7.0.6 in response to all the ‘OMG’ emails…..result is now my iPad will no longer reset to position of screen when moved from 6” wide to 8” wide …..in fact it will not change position no matter what I try…..any help will be appreciated.

Leave a Reply