On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”
The problem is the result of a coding error where an additional “goto fail” statement means that the SSL certificate is not authenticated. The result is applications running on iOS and OS X operating systems are vulnerable to man-in-the-middle (MITM) attacks. This is the case where the attacker can use his own unauthenticated certificate and pose as a legitimate website to intercept communications and trusted information; or inset malware.
The failure impacts all applications that use the SecureTransport function such as Safari, Mail, Twitter, Facetime and iMessage. Chrome nor Firefox are impacted as they use NSS for SSL/TLS.
The problem has been corrected with the release of iOS 6.1.6 and iOS 7.0.6; however, OS X 10.9.1 is still affected. Apple has confirmed that a fix for OS X will be released very soon.
If you want to test to see if you have the problem, then go to SSL/TLS Capabilities of Your Browser and hopefully you will see the following:
If you have a bad response to your browser test, you should consider the following actions:
- Ensure that your operating system is up-to-date
- Avoid non-secure networks, such as wireless Wi-Fi networks in coffee shops, airports, bookstores, etc.
- Use a virtual private network (VPN)
- Switch to an alternative browser such as Firefox or Chrome