Apple's SecureTransport SSL Vulnerability

On Friday, February 21, Apple quietly released an update for iOS 7 and iOS 6 that addresses a "minor" security flaw in SSL. So what does that mean? Well, first, let's set the stage and define some terms.

SSL or Secure Sockets Layer is an industry-standard protocol used to establish and maintain a secure and encrypted connection between two computers. In other words, it allows them to whisper privately to one another without anyone being able to eavesdrop or understand the conversation. SSL is found on many sites such as online banking, online stores, and other scenarios where security is needed.

SecureTransport is the library (collection of code) designed by Apple for developers to use on iOS and OS X to establish secure connections to servers using the SSL protocol. Apple has provided this library for their own use as well as allowing other developers to use it as opposed to providing their own library.

Advertisement

This flaw that has been fixed in iOS 7.0.6 essentially caused SecureTransport to skip CRITICALLY important steps required to safely and effectively validate the encrypted connection. In other words, SecureTransport was being very lazy and didn't take the proper precautions to ensure the connection was REALLY encrypted and that the programs were speaking to the right server.

Because of this flaw, an attacker with a "priviledged" network position… yadda yadda yadda. Basically, anyone on the same network as you with enough knowledge of this vulnerability could perform what is known as a "man-in-the-middle" attack and tell your computer he's the server and tell the server he's your computer. Since SecureTransport was lazy, it would easily fall for this trick and send the information to the attacker - who, in turn, would pass it back to the server while being able to capture and read the data.

What does that mean? That means that if you are sitting at Starbucks with an iOS device running iOS 7.0.5 or earlier, and you do any online banking, shopping, etc, an attacker could easily snoop and steal your bank account information, your usernames and passwords, along with anything else you send. Typically, this information is encrypted (and technically, it still is even in this scenario). So, if you you haven't already updated your iOS device (iPod touch, iPhone, iPad, Apple TV) you need to do so IMMEDIATELY. Consider this - Apple does not support iOS 6 anymore. They stopped working on it when they released iOS 7. This flaw is so serious that they went back and fixed it in iOS 6 and released an update for iOS 6 devices. Apple NEVER updates their old software except in high threat situations such as this.

Is OS X affected? Yes it is. OS X and iOS share the same codebase with mostly superficial changes for the UI. As such, OS X (yes, that means Mavericks) is afflicted by this flaw. That's the bad news. The good news is that this flaw on OS X only affects apps that use Apple's SecureTransport library. This includes Safari, Mail, Messages, Notes, iWork, iLife, App Store, iTunes, eBooks, Calendar, Maps, and Software Update (as part of App Store). However, apps such as Google Chrome, Mozilla Firefox, and Mozilla Thunderbird supply their own SSL library and are unaffected by this flaw.

Advertisement

Apple has promised a fix for OS X very soon. However, because the App Store has been compromised by this flaw, I personally recommend visiting Apple's Support Downloads site to download and verify the update when it is released. I would NOT trust any updates provided by the App Store until this patch is out. Anyone with the proper knowledge could forge an "update" that would seem legit in the App Store, when in fact, it could be loaded with malware. OS X, like any UNIX-like operating system, is super hardened against viruses and malware. However, there is little the OS design can do to stop such threats when they are installed by a priviledged user on the system.

You can test your iOS device or your Mac to check for vulnerability in your browser by visiting gotofail. This site has been designed to check for the flaw in your browser.

Share This Story