Why iOS 7.0.6 Is A Way More Important Update Than You Think


iOS 6.0.6

On February 21st, Apple released iOS 7.0.6, a small software update that provided “a fix for SSL connection verification.” The same SSL fix was also released for older iOS 6 devices and the Apple TV. Apple pushes out smaller bug fixes from time to time, so at first glance 7.0.6 seemed like a pretty normal update.

But in reality, Apple patched a major security flaw that has potentially compromised millions of peoples’ data for years. Nicknamed “gotofail,” the bug has been flying under the radar for quite some time, and it still hasn’t been patched in OS X.

Gotofail has allegedly been present since the introduction of iOS 6, and the implications are quite severe. Until now, iOS devices using the internet over a SSL connection have been vulnerable to hackers intercepting their data, or “man-in-the-middle” attacks.

Basically, the bug allows for secure web traffic over SSL/TLS to be hijacked by someone else on the same network. It’s a relatively simple process for anyone with knowledge of the flaw.

The security firm CrowdStrike explains:

Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

Gotofail is limited to Apple’s apps and services, like Safari and Messages. So third-party browsers like Chrome should be fine.

Many parts of OS X are still vulnerable, including Apple’s software update mechanism.

Other well-known hackers have expressed concern over the findings:

Even banks are contacting their customers and advising them to update to iOS 7.0.6 immediately. “You should install this update as soon as you can to ensure your information is as safe as possible,” warned the online-only bank Simple in an email to customers yesterday.

What is perhaps most alarming about all of this is the theory posited by Daring Fireball’s John Gruber. Gotofail was introduced with the release of iOS 6 in September 2012, and Apple was added to the NSA’s “PRISM” spying program in October 2012.

Once in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM.

Or, maybe nothing, and this is all a coincidence.

Apple issued a statement last night, per Reuters, saying it was aware of the same SSL bug that still exists in OS X. A fix will be issued soon:

Apple Inc said on Saturday it would issue a software update “very soon” to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.

Confirming researchers’ findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: “We are aware of this issue and already have a software fix that will be released very soon.”

  • lucascott

    Interesting that the first time there seems to be any press about this 18 month old security problem is when the patch was released. If there was an attack using this issue it would have been everywhere.
    Combining this with the fact that many folks that would be dealing with credit cards etc on their devices use third party apps that seem to be immune to this issue and the whole ‘has to be on the same network’ detail.

    Rather makes a lot of the current press seem like hit whoring Apple bashing FUD

  • Dennis Mattinson

    If this was such an important update, why didn’t ANY of my 5 iOS devices notify me that an update was available? I’m talking 2 iPhone 5S, 1 iPhone 4S, 1 iPad 3 and 1 Apple TV (latest gen)

  • Kr00

    Interesting this gets a scare campaign from many sites, but the more recent serious Flash vulnerabilities go unreported. This flaw can only affect devices on unsecured networks that have a hacker connected to it, unlike Flash security flaws that can affect every computer that has it installed. Just astounding.

    • daov

      Uhh…I’ve read a lot of articles about the Flash vulnerabilities. Most news outlets that address Windows issues have reported the issues with Flash quite clearly. CoM has been uncharacteristically quiet regarding 7.0.6, which is BAD. Bad. Make no mistake: it is bad.

      • Kr00

        I see you’re back. Sigh!!

        This is CoM, an Apple forum, not a windowz forum. There has been no report on the numerous updates to flash in the past month, very serious ones, here or anywhere on Apple forums.

        This SSL issue doesn’t even come close to the serious vulnerabilities that flash pose to anyone who uses it.

        Now back under the bridge you go Ddvito.

      • daov

        You truly believe NO ONE is reporting on the Flash vulnerabilities. I work in an environment where we, unluckily, must support and update Flash for our users (Mac and Windows) regularly and we know about them. And read about them often. And it takes about two seconds to sign up to the various Adobe digests that report on their security (not that this lends them credit or anything. It’s just a fact). I’m not sure why you care or try to equate two completely different companies making completely different products?
        And really, the SSL issue doesn’t come close? We immediately had to update everyone running iOS. In a large organization, this is a big deal. And it’s been in existence in the wild for a while.
        I’m not critiquing Apple in any way here but to downplay the significance of this is foolhardy. I offer critique more of CoM as they have been lax in reporting about it.
        And just because I do not comment at CoM does not mean I don’t read the blog.

      • Kr00

        You have a link to any stories on the recent flash security issues, on Apple forums? As a troll who visits them, surely you’d seen some?

      • daov

        Weird. It took you over 24 hours to come up with this amazingly illuminating comment…
        I never said Flash was more or less risky.
        I’m trying to get you to see the fallacy of your argument that this issue is not a big deal. You fail to see that.
        Yes, Flash is deadly and a serious risk. I concur. I have to deal with shi**y Flash every day.
        You need to understand the argument a bit better as you are consistently failing to do so: this SSL issue is serious and anyone affected by it should take the necessary steps to correct it. If you cannot see that, I cannot help you. This is the part where I tell you that I’m living in reality whereas you are living in a bubble.

        If calling me a troll because I disagree with you is your way of dealing with the above argument being true, so be it. I can deal with Internet insults from random people on a message board. Sticks and stones.

      • Kr00

        Unlike yourself, I don’t troll these pages, I have a life.

        BTW, if this were an Android security issue, users would have to wait 2 years to get an update. Enjoy Danny.

      • Kr00

        Just curious, but if you were SO concerned about this issue, you tripped over yourself to get to your keyboard, I assume then I’d find a post of yours demoaning the security issues with Flash, on some forum somewhere? Hmmm?

      • Kr00

        Seriously? Flash poses a far more risk to any user and has so for decades, where the SSL issue is a very specific issue requiring very specific circumstances, and as of today, there are no reports of expliots because of the issue. I can point you to many reports on flash expliots affecting many users.

        How’s life from underneath that bridge?

      • daov

        I guess you’re right. All media outlets are against Apple and not reporting Flash issues. You’re right, I’m wrong. Please just drop it. I agree with you because you’re totally correct.

        I’m critiquing CoM. Not Apple, Adobe or anyone else or even you, really. I’m correcting you.

      • Kr00

        So how many times have you been banned from CoM again? Eight, ten, a dozen?

        You should just enjoy your life and leave your hatred somewhere else. Say a psychologists couch. Get some help buddy. It’s obvious you need it.

      • daov

        I have never been banned from any site because I have not said anything insulting or demeaning. You, on the other hand, have insulted me numerous times so far.
        I think you need to learn to read.

      • Kr00

        Oh dear, I’ve hurt your feelings. How bad of me.

      • Jamie

        Dude you’re increincredible you sound like such an ignorant fan boy lol

      • Kr00

        So why the change of name? What happened to your “other” profile then?

  • daov

    Been waiting for CoM to write something, anything, about this update and why it is important.

  • Komrad

    Basically, the bug allows for secure web traffic over SSL/TLS to be hijacked by someone else on the same network

    I’m the only one on my network, so I’m safe? And this small update is 1.24GB…what is your definition of small? I consider that huge.

  • JoeDaniel

    This critically important update bricked my phone :(

    • FlorinNegrut

      Same here

  • daov

    My Bluetooth has become spotty after this update. Anyone else?