A major SSL security bug has been identified by Apple, that could be used to maliciously obtain sensitive data transmitted over secure internet connections.
This SSL security bug affects iPhones and iPads running iOS 6 and iOS 7. It also affects Macs running OS X 10.9 (Mavericks).
If you have an iPhone 3GS running iOS 6, it should be updated to 6.1.6. Please see http://support.apple.com/kb/ht4623 for Apple’s iOS update instructions.
If you have an iPad or iPhone 4/4s/5 running iOS 6, it should be upgraded to 7.0.6. Apple doesn’t provide a way to update these devices to 6.1.6, and is forcing the 7.0.6 upgrade. This upgrade process can be time consuming, potentially taking over an hour. Please see http://support.apple.com/kb/ht4623 for Apple’s iOS upgrade instructions.
If you have an iPad or iPhone running iOS 7, it should be updated to 7.0.6. Please see http://support.apple.com/kb/ht4623 for Apple’s iOS update instructions.
Macs running OS X 10.9 should be updated to 10.9.2. See http://support.apple.com/kb/ht1338 for Apple’s OS X update instructions. All Covered clients in the Chicago area will have this OS X 10.9.2 update automatically be pushed out to them.
Apparently, SSL has been broken since iOS 6 was released in September 2012. Apple forgot to include an end bracket on a single line of code, and that mistake resulted in SSL traffic not being encrypted like it should be. This means data transferred over a local wired or wireless network could be maliciously “sniffed”, and things like usernames/password could be easily extracted. This is commonly referred to as a man-in-the-middle attack, where a hacker on the local network intercepts data. This is particularly a threat on public Wi-Fi hotspots (think Starbucks, hotels, libraries…).
This SSL bug also exists in OS X 10.9 Mavericks. All applications that use Apple’s SSL mechanism are affected by this bug, including Mail and Outlook. VPN uses it’s own layer of data encryption, so data transmitted over VPN would be secure even if sent from an unpatched iPhone/iPad/Mac.
Older versions of OS X and iOS are not affected by this SSL bug, it only exists in iOS 6/7 and OS X 10.9. Apple has also released an Apple TV 6.0.2 update that fixed this bug on Apple TVs.
You can test to see if your Apple computer or device is affected by this SSL bug by visiting https://www.gotofail.com. You will either get a green bar stating “Safe” or you will get a red bar with the text “Your browser is vulnerable, patch as soon as possible”.
Although this SSL bug is one of the bigger mistakes I can remember Apple making in the last decade, it should be noted that there are no reports of it being exploited (yet). Apple apparently identified and fixed it on their own, not in response to data being compromised.
Rumor has it that Apple introduced this SSL bug deliberately to be used by the NSA. Apple of course has explicitly denied this, but conspiracy theorists point out that the timing of things might suggest otherwise (the leaked NSA PRISM document stated that Apple was added to the program one month after iOS 6 was released). For more information see http://daringfireball.net/2014/02/apple_prism