{"id":17383,"date":"2014-02-26T13:33:56","date_gmt":"2014-02-26T20:33:56","guid":{"rendered":"http:\/\/www.technightowl.com\/?p=17383"},"modified":"2015-04-29T07:15:36","modified_gmt":"2015-04-29T14:15:36","slug":"the-notorious-ssl-bug-at-least-apple-fixed-it","status":"publish","type":"post","link":"https:\/\/www.technightowl.live\/blog\/2014\/02\/the-notorious-ssl-bug-at-least-apple-fixed-it\/","title":{"rendered":"The Notorious SSL Bug: At Least Apple Fixed It"},"content":{"rendered":"

The headlines filled the airwaves and the daily newspapers. A serious SSL bug present in OS X Mavericks, iOS 6, and iOS 7 could result in Internet criminals eavesdropping or hijacking your account. To make matters worse, some suggested this bug provided an open door for the NSA to keep taps on you, although I wouldn’t presume that any of these things have actually happened.<\/p>\n

The signature verification bug, given the nickname “gotofail,” left literally hundreds of millions of users of Apple products vulnerable, because it allowed the attacker to use the hole in SSL and TLS\u00a0connections to \u00a0break in. Not a very pleasant prospect.<\/p>\n

Now there has been quite a bit of fear-mongering about this problem, though it’s surely a genuine issue, although it’s not as if there is any evidence that it has actually been exploited, at least not yet. News of the flaw arrived last Friday with the release of iOS 7.0.6 and iOS 6.1.6, both of which repaired the problem.<\/p>\n

But the bug also impacted OS X Mavericks, and that critical fix was added to the 10.9.2 update that arrived on Tuesday. According to published reports, the flaw involve a single line of code that allowed Internet criminals to bypass SSL\/TSL encryption, and if that happens all bets are off.<\/p>\n

If you want to know the raw details, you can examine a report posted at the Department of Homeland Security’s National Vulnerability Database<\/a>.<\/p>\n

While some of you may not be inclined to install iOS and OS X updates until they’ve been tested and proven in the wild, this is one of those situations where you need to take a chance and get with the program. Now that the existence of the bug is known, the potential for exploitation is much greater.<\/p>\n

The updates for iOS 6 and iOS 7 were strictly targeted towards fixing the SSL bug. It’s not apparent that anything else was fixed. The next iOS 7 update, expected to be known as 7.1, is expected this coming March. The fix for OS X Mavericks was distributed as part of a regular maintenance update with 10 other updates and enhancements, along with a smattering of some other less severe, security fixes.<\/p>\n

Here’s a full ist of the changes, except for those additional issues that also impact security:<\/p>\n