Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Apple Updates iOS and Apple TV to Fix Critical SSL Security Bug Josh Centers Apple has released [1]iOS 7.0.6, [2]iOS 6.1.6, and [3]Apple TV 6.0.2, which you should update to immediately, as they fix a critical SSL/TLS vulnerability that could make it possible for your online accounts and financial information to be compromised. On iOS, you can download the updates in Settings > General > Software Update or update through iTunes. On the Apple TV, download the update in Settings > General > Software Updates > Update Software. [4]Image The vulnerability also affects Mac OS X, which remains unpatched as of this writing, but [5]Apple promises a fix 'very soon,' likely in OS X 10.9.2. In the meantime, we recommend avoiding the Safari Web browser, and instead using Google Chrome or Firefox, which are unaffected by the bug. You can check whether your browser is vulnerable by [6]visiting this test site. Other Mac apps remain vulnerable until a general fix is released, and, if possible, it would be best to avoid unsecured public Wi-Fi networks as well, though the likelihood of significant exploits that take advantage of this vulnerability becoming widespread before Apple releases a fix are low. The [7]problem in SSL/TLS revolves around Apple's code not checking signatures in TLS Server Key Exchange messages, which could allow an attacker to use [8]a man-in-the-middle attack to spoof an SSL server. Security analysts have determined that the vulnerability was [9]caused by a misplaced 'goto fail' line in the operating system source code. Developer Jeffrey Grossman [10]has confirmed that the vulnerability began in iOS 6.0, but did not exist in iOS 5.1.1, giving it a nearly 18-month history. John Gruber of Daring Fireball cross-referenced the release date of iOS 6.0, 24 September 2012, with a leaked PowerPoint deck on the NSA's PRISM program, which states that Apple was added to the program in October 2012. While Gruber says that [11]the proximity between these dates is most likely a coincidence, the NSA has been known to [12]subvert the effectiveness of online security. References 1. http://support.apple.com/kb/HT6147 2. http://support.apple.com/kb/HT6146 3. http://support.apple.com/kb/HT6148 4. http://tidbits.com/resources/2014-02/iOS-706.png 5. http://www.reuters.com/article/2014/02/22/apple-encryption-idUSL2N0LR0GW20140222 6. https://gotofail.com/ 7. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266 8. http://en.wikipedia.org/wiki/Man_in_the_middle_attack 9. http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/ 10. https://twitter.com/Jeffrey903/status/437273379855667201 11. http://daringfireball.net/2014/02/apple_prism 12. http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption .