Crucial security flaw
Advice, NewsA patch to iOS (7.06 and 6.1.6) yesterday revealed a deep-seated security flaw within both iOS and Mavericks (OS X 10.9 and 10.9.1). You can read about the flaw here and here, but what it comes down to is a typo by one of the Apple engineers.
Whoops.
What it means for you is that all secure communications, like when you sign onto your banking site through Safari, or check your mail using Mail.app, could have been compromised by an attacker.
Note that I said “could” and not “was”. I haven’t heard reports that this flaw has been exploited in the real world, but now that the cat’s out of the bag, someone may try.
From what I can see, this flaw won’t directly lead to an attacker gaining access to your password, but rather fool your browser into thinking it has reached a legitimate site instead of a close copy set up by the miscreant. Of course, once you think you’ve reached your bank, for example, you will probably enter your password and any other information it requests.
Bottom line: Update your iOS device to the latest version as soon as you can. Update your desktop as soon as there is something available, or use FireFox or Chrome (both unaffected) when signing on to a secure site, especially on a public network.
You can confirm the flaw by using this link. If you can see that page, your browser is not performing the correct security check and is affected by the flaw.
February 24th, 2014 at 10:11 am
hi kem. tried to download Firefox on iPhone and reply was not supported on this devise. any advise. thx ruth
February 24th, 2014 at 10:12 am
I spoke to the folks at apple support yesterday. (Both the dept that handles computers and the dept that handles iPhone). They claimed to have no knowledge of any problem!!!! As to upgrading my 4s phone still haven’t done. Guess I should. Thanks Kem for the info.
February 24th, 2014 at 10:16 am
FireFox and Chrome are both for the MacOS (or Windows). For the iPhone/iPad, just update the OS.
February 24th, 2014 at 10:55 am
Kem,
Here’s what I got when I tried the link in your email on our desktop and iPad. (I had updated my phone yesterday.)
If you can see this message then you are probably affected by CVE-2014-1266! See https://www.imperialviolet.org/2014/02/22/applebug.html for details and http://support.apple.com/kb/HT6147 for the iOS patch.
I’m updating my iPad now, but don’t see any software updates on my desktop. I haven’t checked my laptop, yet. What to do? Thanks!
February 24th, 2014 at 11:41 am
No software updates for the Mac OS yet. Use FireFox or Chrome to access secure sites for now. (The links to get the latest versions are in the post.)
February 25th, 2014 at 11:15 pm
The 10.9.2 update released today fixes the issue.