Apple Fixes Dangerous SSL Authentication Flaw In iOS 101
wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."
How about OS X? (Score:5, Insightful)
I heard OSX has the same problem.
@Apple: Admit that it exists (plus give advice how to prevent problems) or let us know that OSX is safe.
Re: goto fail (Score:4, Insightful)
Dumb. We are in for more than that. It took a decade to get OpenSSL clean with many more eyes on it.
Re:Details of bug (Score:4, Insightful)
Apple never "switched away" from openssl, they shipped their own implementation with the very first version of Mac OS X. They only packaged openssl with the system for other apps to use. I actually rewrote the XMPP encryption stuff in Adium to use the security framework instead of openssl way back in 2007, since that allowed me to use the built-in system dialogs for presenting certificates.
Increase safety by avoiding proprietary software (Score:2, Insightful)
The software Apple distributes to users is proprietary, even if part of that software is built from free software. Proprietary software is never safe for users. Its safety is for the proprietor—what the program allows the proprietor to do to the users.
Apparently memories around here are so short people can't remember when researchers showed Apple can read iMessages [slashdot.org] anytime Apple wants and the users have no idea which messages are being read. Whether anyone at Apple reads someone's iMessages is a detail so long as Apple can read any iMessage they choose. The same applies to any proprietor for any software which doesn't respect your software freedom. You avoid these problems by avoiding proprietary software.