Apple SSL Bug: Test Your Vulnerability, Fix Available Soon

Bruce Morton

On Friday, Feb. 21, Apple issued a security bulletin for iOS 7.0.6. There was not much detail in the bulletin, but it did state that the impact was “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

The problem is the result of a coding error where an additional “goto fail” statement means that the SSL certificate is not authenticated. The result is applications running on iOS and OS X operating systems are vulnerable to man-in-the-middle (MITM) attacks. This is the case where the attacker can use his own unauthenticated certificate and pose as a legitimate website to intercept communications and trusted information; or inset malware.

The failure impacts all applications that use the SecureTransport function such as Safari, Mail, Twitter, Facetime and iMessage. Chrome nor Firefox are impacted as they use NSS for SSL/TLS.

The problem has been corrected with the release of iOS 6.1.6 and iOS 7.0.6; however, OS X 10.9.1 is still affected. Apple has confirmed that a fix for OS X will be released very soon.

If you want to test to see if you have the problem, then go to SSL/TLS Capabilities of Your Browser and hopefully you will see the following:


If you have a bad response to your browser test, you should consider the following actions:

  • Ensure that your operating system is up-to-date
  • Avoid non-secure networks, such as wireless Wi-Fi networks in coffee shops, airports, bookstores, etc.
  • Use a virtual private network (VPN)
  • Switch to an alternative browser such as Firefox or Chrome

Updated February 25, 2014: Apple has released OS X 10.9.2 which fixes the SSL issue.
Updated February 26, 2014: Tested my iPod Touch with iOS 5.1.1 and it is safe.



Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation