Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Iphone and Mac security issue

ReadyToGo
Explorer
Explorer

โ€ŽFeb-22-2014 05:53 AM

"A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.

If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited."

I had to do the update myself on my Ipad. Have no idea why it wasn't an auto update like the last 2.

Following 2 links show more info

Security issue

Security issue
0 Likes
11 REPLIES 11

Duck
Explorer
Explorer

โ€ŽFeb-23-2014 01:47 AM

taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.


Same for me. Read about it on a news appl site.
Don
08-FORD F350 PSD
13 Bighorn 3055RL {For Sale}
0 Likes

ljr
Explorer III
Explorer III

โ€ŽFeb-22-2014 03:07 PM

1492 wrote:

Anyone care to test either browser using an Apple system with the link above for confirmation?


Safari 6.7.1 is ok (Page failed to open with SSL error.)
Larry
0 Likes

Davydd
Explorer
Explorer

โ€ŽFeb-22-2014 01:06 PM

knshook wrote:
taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.
Thanks for the suggestion. Worked perfectly,


I don't recall iOS system updates ever coming through the App Store in a notification. Generally you'll get a message or email notification and there will be an update number imposed on the Settings app icon as a reminder notification.
Davydd
2021 Advanced RV 144 WB 2500 Class B
2015 Advanced RV Ocean One Class B
0 Likes

knshook
Explorer
Explorer

โ€ŽFeb-22-2014 12:36 PM

taviking22 wrote:
Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.
Thanks for the suggestion. Worked perfectly,
0 Likes

1492
Moderator
Moderator

โ€ŽFeb-22-2014 09:17 AM






There is a third party test for Apple Safari users to help determine if you might be vulnerable to this SSL security issue. Click or type this link bit.ly/AppleSSLTest. If you can read the message on the website, than your system or device could be vulnerable. Otherwise, if you get some type of browser secure connection failure or warning, you should be fine. My iPhone4 failed.

A rep for Google is reporting that neither Mozilla Firefox or Google Chrome is effected by the SSL vulnerability. Apparently, both third party browsers use their own SSL/TLS libraries. Anyone care to test either browser using an Apple system with the link above for confirmation?



EDIT: Added a clickable SSL browser vulnerability check from a another website. Will popup a secondary window on desktops/notebooks. A new tab for mobile devices.
0 Likes

1492
Moderator
Moderator

โ€ŽFeb-22-2014 08:42 AM

This may be the errant line of iOS code in red that caused the SSL flaw from this source:


    if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
    goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
    goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;

    err = sslRawVerify(ctx,
    ctx->peerPubKey,
    dataToSign, /* plaintext */
    dataToSignLen, /* plaintext length */
    signature,
    signatureLen);
    if(err) {
    sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
    "returned %d\n", (int)err);
    goto fail;
    }

    fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;

0 Likes

ljr
Explorer III
Explorer III

โ€ŽFeb-22-2014 08:01 AM

1492 wrote:
It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.


I agree. The way SSL and TLS key exchanges work that "should" be impossible but there always seems to be somebody around that figures out how to make the impossible possible.
Larry
0 Likes

1492
Moderator
Moderator

โ€ŽFeb-22-2014 07:50 AM

It's still unclear to me whether the intercepted SSL data could be successfully unencrypted, or just modified, but serious in that it could introduce an exploit without the user's permission.
0 Likes

1492
Moderator
Moderator

โ€ŽFeb-22-2014 06:59 AM

As a rule, I never use smartphones or tablets to access banking or financial websites. Mobile OS have tended to be more vulnerable to exploits, and have become a chief target for hackers due to their popularity.

This is a serious flaw, one that I'm surprised Apple didn't catch much earlier, as it appears to also effect OS X desktops/laptops, whose patch has yet to be released. But behooves the importance of keeping any OS and apps updated.




Apple has become noticeably more of a target from hacker exploits. In 2012, the number of vulnerabilities reported by vendors show Apple 2nd behind Oracle, with overall vulnerabilities rising. Most appearing to be from iTunes, Safari, and iOS. Microsoft has seen a overall reduction, and now ranking 4th overall.

You can also read a blog article about the exploit at Details about Apple SSL vulnerability....
0 Likes

taviking22
Explorer
Explorer

โ€ŽFeb-22-2014 06:13 AM

Thanks for the heads up on this!

To get the update on my iPhone and iPad, I had to go to Settings > General > Software Update. It did not appear as an update in my App Store.
taviking22
Omaha, NE

'06 2500HD Silverado 4X4, Duramax LBZ, Firestone air bags
2008 Tracker Pro Guide V-16 Boat
2012 Jayco Pinnacle 31RLTS
0 Likes

Davydd
Explorer
Explorer

โ€ŽFeb-22-2014 06:05 AM

As the second article mentions there is already an update to iOS to address this. It is iOS 7.0.6 and has been out a few days. What I have found is I suspect they parcel out notifications to iPhone and iPad users I'm guessing to not overload the servers. I first noticed that in previous updates that my wife's iPhone and my iPhone did not get notifications at the same time.

Just go to Settings app > General > Software Updates and it will be there even if you haven't been notified.
Davydd
2021 Advanced RV 144 WB 2500 Class B
2015 Advanced RV Ocean One Class B
0 Likes
  • Facebook
  • Twitter
  • YouTube
  • Instagram
  • Pinterest