Apple Security Alert: "Gotofail" SSL Bug

Over the past week, Apple has released critical security updates for iOS and OS X (including Lion, Mountain Lion, and Mavericks) users--this means all iPhones, iPads and Mac desktop and laptop machines with recent OSes installed.

These updates are crucial as they address a number of serious security bugs, including the recent SSL/TSL vulnerability (AKA "gotofail") that could allow an attacker ("man-in-the-middle") to intercept secure connection data on a local network. This "gotofail" vulnerability is exploitable by anyone on the same wired or wireless network as the victim, and enables the attacker to masquerade as a trusted site, such as your bank or email provider, and allows them to intercept any data sent between the victim and intended site. Security experts have already created proof-of-concept exploits, and they speculate that similar, less benign apps are already loose in the wild. Given the target-rich scope of the systems affected, these attacks will likely become prevalent in the coming days.

Gotofail.com offers updated information about the issue and patches, as well as a quick test to see if your system is vulnerable.

 

RECOMMENDATIONS

Update your Apple devices and systems as soon as possible to the latest available versions (7.0.6 for iOS, 10.9.2 for Mavericks, and Security Update 2014-001 for Lion/Mountain Lion). The updates are available for iOS and OS X through Apple's Software Update service, accessible from the Apple menu, or from the "Updates" section of the App Store. The updates are also available from Apple's support downloads site. As always, be sure to fully backup your system before applying any of these updates.


Do not use untrusted networks (especially WiFi) until you can update your devices over a trusted network. On unpatched devices, set “Ask to Join Networks” to OFF, preventing them from asking to connect to untrusted networks.