Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apple releases critical security update to patch SSL bug on all iDevices


  • Please log in to reply
9 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 24 February 2014 - 08:08 PM

If you use an iOS device such as an iPad, iPhone, or iTouch you should immediately upgrade your device to the latest software. On Friday, Apple released update 7.0.6 which patches a critical bug in their SSL/TLS implementation for their iDevices. This bug also affects OS X computers, but at this time their is no patch available. Unfortunately, for those who do not wish to upgrade to IOS 7, unless your device is Jailbroken there is no way to patch the exploit without upgrading.

The security hole that this patch fixes allows someone to perform a man-in-the-middle SSL attack on your device. When you use a SSL connection between your device and remote server, the traffic is normally encrypted so that others on the same network can't see what you are transmitting. With this bug, anyone who is connected to the same wired or wireless network as your device will be able to listen in and manipulate the data that you send over SSL.

To install this update, start charging your phone and then while plugged in, go into the devices's Settings and select General and then Software Update. As already stated, if you are still using IOS 6, you will be required to update to version 7 in order to install this update.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:51 AM

Posted 24 February 2014 - 08:23 PM

Hello Grinler

 

I have an Iphone 3gs Not jailbroken, This morning when I turned on my phone there was an update waiting to be installed, I allowed the update the phone did its thing with no issues all updated and running well.

 

Isnt jailbreaking a breach of the Apple TOS?

 

 

if you are still using IOS 6, you will be required to update to version 7 in order to install this update.

I did not have to update to ios7  my ios is 6.1.6 and all my software is up to date. Did my phone install security update? When I run the software update it says "Your software is up to date"


Edited by NickAu1, 24 February 2014 - 09:25 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:51 PM

Posted 24 February 2014 - 08:28 PM

Nick probably as you have Iphone 3.

 

http://support.apple.com/kb/HT6147

 

About the security content of iOS 7.0.6

 

This document describes the security content of iOS 7.0.6.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

iOS 7.0.6
  • Data Security

    Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

    Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

    Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

    CVE-ID

    CVE-2014-1266


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 24 February 2014 - 09:03 PM

IOS 6.1.6 was also released and included the same fix for SSL. http://support.apple.com/kb/HT6146


Edited by computerxpds, 24 February 2014 - 09:03 PM.

sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 24 February 2014 - 09:18 PM

And how can that be installed?

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 24 February 2014 - 09:20 PM

From what I see those 6.1.6 is only for 3 and 4g.

#7 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:51 AM

Posted 24 February 2014 - 09:25 PM

@ Grinler 

 

My phone said there was an update I selected yes update and it did. And yes my fone is Iphone 3gs 16 gig, Like me its old but it works.

 

Thanks for the info guys.



#8 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 24 February 2014 - 10:13 PM

From what I see those 6.1.6 is only for 3 and 4g.

Yes that's what it is for. If one is running an iphone 4S or higher then they will need to update to iOS 7.0.6. :)


sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |

#9 jessen22

jessen22

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 24 February 2014 - 10:59 PM

For those of us who are jailbroken and have a device that cannot run iOS 7 (meaning we must stay on iOS 6.x or earlier for now), you can either do a (UPDATE (see below): UNtethered) jailbreak with 6.1.6, or, if you're just worried about the SSL issue,

 

You can install the SSLPatch package from Ryan Petrich's repo. Add "http://rpetri.ch/repo/" to your sources, and search for & install SSLPatch. After restarting Springboard you should be safe.

 

UPDATE: It's now possible to do an untethered break of 6.1.6, so please do that as soon as possible to cover yourself properly with the security update. The unofficial patch might not actually cover everything that Apple & others have discovered.

 

Everyone using iOS 7.x should be at 7.0.6, jailbroken or not.

 

For all devices of any kind, visit https://gotofail.com to see if you are safe. For iDevices, please visit using Safari to check if Apple's libraries are patched; certain other apps such as Chrome use their own libraries which aren't affected, but all system features and apps use Apple's libraries, so you should test that page using Safari.


Edited by jessen22, 25 February 2014 - 02:00 PM.


#10 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:51 PM

Posted 25 February 2014 - 01:38 PM

OS X 10.9.2 update released today, has the fix for the SSL bug rolled in, patch notes do not say it has it but news outlets are reporting that it is indeed in the update. http://9to5mac.com/2014/02/25/apple-releases-os-x-mavericks-10-9-2-with-facetime-audio-contact-blocking-mail-fixes/ It is recommended that all users update their macs to protect their security.


sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users