goto fail; Major Security Flaw in Apple iOS and OSX

If you are an Apple user, stop what you are doing right now, disconnect from WiFi, and take 5 minutes to read everything on this page.

I read several articles yesterday about a serious security flaw in Apple’s iOS (iPhone, iPad, etc.) and OSX (Mac) that has existed since September… of 2012. Internally Apple has been well aware of this problem for almost a year and a half (17 months), yet for some reason (shocker) they chose not to disclose this flaw publicly… so most users never knew there was a problem.

The flaw allows a hacker to intercept all of your data even though you might see a secure link (padlock) icon which means SSL (Secure Socket Layer) is enabled. This flaw can normally only be exploited when you (and a hacker) are on a public WiFi hotspot and it only affects iOS 6.0 through 7.0.5 on iPhones and Macs running OSX. There is a fix for iOS but currently there is no fix for Mac OSX.

Let’s just hope pray you haven’t been checking your bank account at Starbucks or Facebooking at McDonald’s.

iPhone users: until the iOS 7.0.6 update is installed please do NOT use WiFi in any public places.

Mac users: avoid using publicly accessible WiFi until Apple releases an update.

Go to your iPhone/iPad and open Settings > General > About. Scroll down to see your device’s version information. If your device is running anything between 6.0 and 7.0.5 you need to upgrade to 7.0.6 NOW. To upgrade, connect to your personal or trusted WiFi hotspot (only use WiFi at your house or work) and open Settings > General. You should see an available upgrade. Install it immediately.

Please send a link to this page (using either of the two links below) to friends and family who might be using Apple products:

http://sodpit.com/2014/02/24/goto-fail-major-security-flaw-in-apple-ios-and-osx/

http://j.mp/OtJHKI

Update #1 – 2/24/14 – Mostly for OSX users:

Apple quietly issues iOS update to patch faulty SSL authentication (update 2: OS X patch coming)

Protect a Mac from the ‘GotoFail’ SSL / TLS security bug (until fix arrives)

Help Protect a Mac from the SSL / TLS Security Bug (Until a Fix Arrives)

Hint… the next two links should be clicked from your Mac: Use Mozilla Firefox for OSX or Google Chrome for OSX until an OSX patch is released.

Update #2 – 2/26/14: Mac OSX Patch Finally Available!

OSX Mavericks 10.9.2 Upgrade

Apple releases OS X 10.9.2 update, patches severe SSL bug

About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001

Resources:

Why Apple’s Recent Security Flaw Is So Scary

Apple Security Flaw Is “As Bad As You Could Imagine”

Extremely critical crypto flaw in iOS may also affect fully patched Macs

More…

goto fail;

A sample of the code showing where the problem occurred.

fail:

The second instance of “goto fail;” (above) is what caused the flaw. Supposedly it was accidentally copy/pasted before the OS was released.