• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

Major security flaw in iOS and OSX, be sure to update to iOS 7.0.6 ASAP

Status
Not open for further replies.
P

PFD

Member
Apple released a new iOS update yesterday. Initially, it seemed like a very minor update, and the change log was very brief:

This security update provides a fix for SSL connection verification.
Click to expand...

It turns out, this update fixes a major security flaw in the operating system that exists on both iOS and OSX. Apple promised a fix soon for OSX.

Here's what Pod2G (security researcher/major contributor to iOS jailbreaks) had to say about this (read from top to bottom):

pod2g0ou0i.jpg


Here's a technical write-up of why this is bad, linked to by Pod2G
 
So stupid...how could that bug go unnoticed for so long. Nobody does tcp dumps there? This is why it's always a good idea to use curly braces with if-statements no matter what.
 
Can 7.0.6 still be jailbroken?

I actually value my jailbreak more than security lol.
 
Emperor Bohe said:
word. anyone know?
Click to expand...

kingocfs said:
It's sad but this is also the first thing I thought of. My bank actually sent me an e-mail about this, though...
Click to expand...

Looks like it's fine.

MuscleNerd on Twitter said:
Apple didn’t apply even 1 update that would’ve broken evasi0n7 at 7.0.6 (i.e. they let JBers have the SSL fix too). Thanks, Apple! :)
Click to expand...

https://twitter.com/MuscleNerd

I'm guessing Apple knows it's a dumb idea to fix their own major flaw and at the same time discourage jailbreakers from doing so.
 
Shit. My iP4 can barely handle iOS 6. I wasn't planning on upgrading until the iPhone 6 and iOS 8 came out later this year.
 
Vyer said:
Interesting, so the theory here is that the NSA would have discovered the bug and that was when they got added to the prism list?
Click to expand...

Yes. Depending on how far down the rabbit hole you want to go:

1. NSA have not exploited the flaw.
2. NSA found the flaw and exploited it.
3. NSA had a mole at Apple that purposely put in the flaw.
4. Apple consciously put in the flaw for the NSA.
 
Technosteve said:
Wait this was because someone wrote goto fail twice?
Click to expand...

The first goto fail runs only if the update method returns something other than 0 (which I assume indicates an error).

the second goto always runs.

Basically the code in the rectangle reads like this:

Step 1: If failure condition, goto failure code.
Step 2: Goto failure code.

the code in that screen outside and inside the rectangle essentially verifies that the data, client, and server are all SSL-compliant (I assume). But stuck inside that sequence of verifying each aspect is a random "Execute failure code" instruction that will ALWAYS run if the SSL checks up to that point have been valid.
 
What I want to know is why Apple is automatically sending data unencrypted if the SSL connection fails? Shouldn't they be alerting the user instead and asking them if they want to still send the data without SSL?

Seems like a combination of both bad code and a terrible design for security purposes.
 
GaimeGuy said:
What I want to know is why Apple is automatically sending data unencrypted if the SSL connection fails? Shouldn't they be alerting the user instead and asking them if they want to still send the data?

Seems like a combination of both bad code and a terrible design for security purposes.
Click to expand...

That's the bug, some security checks are bypassed, so a bad connection looks like a good one to the application.
 
Iolo said:
That's the bug, some security checks are bypassed, so a bad connection looks like a good one to the application.
Click to expand...

Well at least the picture is wrong (or at least, not completely accurate in depicting the problem).

For those of you who don't speak code:

Problem #1: The encrypted connection always fails (pictured).
Problems 2 through 5000000000000000000: When an encrypetd connection fails, the system automatically falls back to an unencrypted transmission.
 
JohnDoe said:
OSX too? No fix yet?

*breathing intensifies*
Click to expand...

You can mitigate it for web browsing by using Firefox or Chrome, which are not vulnerable. Check https://gotofail.com to see whether your browser is ok. If you are totally paranoid you should use a browser that was already installed instead of downloading a new one over an insecure Safari connection (although the risk is slight). You could use Chrome on iOS as well, in case you can't upgrade your OS, for example if you don't want to cripple your iPad 3 or iPhone 4 with iOS 7.

This does not help the security of other SSL connections like iCloud or the App Store, although I think app and OS updates are digitally signed which provides an additional layer of protection.
 
Incandenza said:
Is this just for Safari? If I use Chrome exclusively on iOS and Mavericks am I solid?
Click to expand...

This is from system library code that handles SSL verification from the sounds of it. anything that doesn't utilize its own implementation for Secure Socket Layers (basically every program that connects to the internet and every web browser save for Google Chrome) is vulnerable to sending secure data over an unencrypted channel on Apple devices
 
GaimeGuy said:
Well at least the picture is wrong (or at least, not completely accurate in depicting the problem).

For those of you who don't speak code:

Problem #1: The encrypted connection always fails (pictured).
Problems 2 through 5000000000000000000: When an encrypetd connection fails, the system automatically falls back to an unencrypted transmission.
Click to expand...

Not exactly. You could rename "goto fail" to "goto exit" to remove the confusion; the problem occurs when that block is called with an error code of zero (which is what the second goto does). In other words, when fail is called when there is no failure, it succeeds, bypassing further checks.

Apple's real fail here is not asserting that err is non-zero in the fail block, which would ensure fail is only called on error (and otherwise warn or crash), and would have caught the problem at virtually no cost.
 
Incandenza said:
Is this just for Safari? If I use Chrome exclusively on iOS and Mavericks am I solid?
Click to expand...

Chrome on iOS still uses the safari engine, as I understand it (as all iOS browsers are required to). I bet it has the same flaw.....
 
BocoDragon said:
Chrome on iOS still uses the safari engine, as I understand it (as all iOS browsers are required to). I bet it has the same flaw.....
Click to expand...

Chrome did not exhibit the flaw when I tested it on my iPad with iOS 6. The Mercury browser, on the other hand, is vulnerable.
 
Status
Not open for further replies.

Similar threads

In-Home Security Cameras
46
1K
Unknown? replied
How To Use AI to make memes(Chat-GPT update is incredible)
NSFW Cringe  2
55
927
Zacfoldor replied
When you’re 100% sure you’re going to win the 2026 LA Marathon
16
532
nbcjr replied
GAF keeps asking me for security verification
5
262
Trilobit replied
KOSA: Identity Verification across Social Media, Apps and Operational Systems to be mandatory in the United States
News 
31
41
Bitmap Frogs replied
Top Bottom