"A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same."It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited."I had to do the update myself on my Ipad. Have no idea why it wasn't an auto update like the last 2.Following 2 links show more infoSecurity issueSecurity issue

As the second article mentions there is already an update to iOS to address this. It is iOS 7.0.6 and has been out a few days. What I have found is I suspect they parcel out notifications to iPhone and iPad users I'm guessing to not overload the servers. I first noticed that in previous updates that my wife's iPhone and my iPhone did not get notifications at the same time.Just go to Settings app > General > Software Updates and it will be there even if you haven't been notified.

Thanks for the heads up on this!To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.

As a rule, I never use smartphones or tablets to access banking or financial websites. Mobile OS have tended to be more vulnerable to exploits, and have become a chief target for hackers due to their popularity.This is a serious flaw, one that I'm surprised Apple didn't catch much earlier, as it appears to also effect OS X desktops/laptops, whose patch has yet to be released. But behooves the importance of keeping any OS and apps updated.Source: gfi.comApple has become noticeably more of a target from hacker exploits. In 2012, the number of vulnerabilities reported by vendors show Apple 2nd behind Oracle, with overall vulnerabilities rising. Most appearing to be from iTunes, Safari, and iOS. Microsoft has seen a overall reduction, and now ranking 4th overall.You can also read a blog article about the exploit at Details about Apple SSL vulnerability....

It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.

1492 wrote:It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.I agree. The way SSL and TLS key exchanges work that "should" be impossible but there always seems to be somebody around that figures out how to make the impossible possible.

Iphone and Mac security issue | Good Sam Community

Duck
Explorer
Feb 23, 2014
taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.

Same for me. Read about it on a news appl site.
Don
ljr
Nomad
Feb 22, 2014
1492 wrote:

Anyone care to test either browser using an Apple system with the link above for confirmation?

Safari 6.7.1 is ok (Page failed to open with SSL error.)
Davydd
Explorer
Feb 22, 2014
knshook wrote:
taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.
Thanks for the suggestion. Worked perfectly,

I don't recall iOS system updates ever coming through the App Store in a notification. Generally you'll get a message or email notification and there will be an update number imposed on the Settings app icon as a reminder notification.
knshook
Explorer
Feb 22, 2014
taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.
Thanks for the suggestion. Worked perfectly,
1492
Moderator
Feb 22, 2014

There is a third party test for Apple Safari users to help determine if you might be vulnerable to this SSL security issue. Click or type this link bit.ly/AppleSSLTest. If you can read the message on the website, than your system or device could be vulnerable. Otherwise, if you get some type of browser secure connection failure or warning, you should be fine. My iPhone4 failed.

A rep for Google is reporting that neither Mozilla Firefox or Google Chrome is effected by the SSL vulnerability. Apparently, both third party browsers use their own SSL/TLS libraries. Anyone care to test either browser using an Apple system with the link above for confirmation?

EDIT: Added a clickable SSL browser vulnerability check from a another website. Will popup a secondary window on desktops/notebooks. A new tab for mobile devices.
1492
Moderator
Feb 22, 2014
This may be the errant line of iOS code in red that caused the SSL flaw from this source:

if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;

err = sslRawVerify(ctx,
ctx->peerPubKey,
dataToSign, /* plaintext */
dataToSignLen, /* plaintext length */
signature,
signatureLen);
if(err) {
sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
"returned %d\n", (int)err);
goto fail;
}

fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
ljr
Nomad
Feb 22, 2014
1492 wrote:
It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.

I agree. The way SSL and TLS key exchanges work that "should" be impossible but there always seems to be somebody around that figures out how to make the impossible possible.
1492
Moderator
Feb 22, 2014
It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.
1492
Moderator
Feb 22, 2014
As a rule, I never use smartphones or tablets to access banking or financial websites. Mobile OS have tended to be more vulnerable to exploits, and have become a chief target for hackers due to their popularity.

This is a serious flaw, one that I'm surprised Apple didn't catch much earlier, as it appears to also effect OS X desktops/laptops, whose patch has yet to be released. But behooves the importance of keeping any OS and apps updated.

Source: gfi.com

Apple has become noticeably more of a target from hacker exploits. In 2012, the number of vulnerabilities reported by vendors show Apple 2nd behind Oracle, with overall vulnerabilities rising. Most appearing to be from iTunes, Safari, and iOS. Microsoft has seen a overall reduction, and now ranking 4th overall.

You can also read a blog article about the exploit at Details about Apple SSL vulnerability....
taviking22
Explorer
Feb 22, 2014
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.

Forum Discussion

Iphone and Mac security issue

About RV Must Haves

Related Content

Security question

Wi Fi security

RV security

iPhone app

Honda 2000 Security?