Help Protect a Mac from the SSL / TLS Security Bug
Apple recently released iOS 7.0.6 with an important security update for iPhone, iPad, iPod touch users – if you have an iOS device, you should install that update right away. Though the 7.0.6 bug fix description was initially vague, further information we’ll detail below points to just how potentially serious the security issue is (or was) – basically, someone could intercept your data given the proper circumstances – and while the problem has been patched on the iOS side,
the same security flaw exists for OS X for the time being (the bug has been fixed with OS X 10.9.2).
Yes, Apple will likely push a bug fix to Mac users in the near future, and all Mac users should install that update right away when it arrives. Until then, you can take some simple precautions to help protect yourself and your Mac from harm. Though this is general advice focused on helping to prevent trouble from the active OS X SSL/TLS security bug, these simple tips are actually good basic network security protocol to follow in general. Advanced users will probably already know what to do (or rather, what not to do), but if you’re unfamiliar with good network practice then you may learn something new.
Update: Mac users can now download the OS X 10.9.2 update to fix this security hole completely. The advice below is still valuable for general wi-fi and network security, however.
3 Easy Tips to Help Protect a Mac from the SSL / TLS Security Flaw
- Avoid all untrusted networks – that mysterious open wi-fi router that you sometimes connect to when your internet is slow because your brother/mom/roommate is streaming Netflix? Don’t connect to it. The router that doesn’t ask for a password at the local coffee shop? Avoid it. Connect to trusted and secured networks only, whether they’re at work, school, or home. It can’t be said enough; do not join any untrusted wireless networks until the machine has been patched.
- Check your web browser with GoToFail to determine if the browser itself is vulnerable – if it is found to be vulnerable, consider temporarily using another updated web browser until the flaw has been patched (the latest versions of Chrome and Firefox are reportedly fine for now)
- Be sure the trusted wi-fi network uses WPA2 security active – this means it requires a password when connecting to the router, though you will still want to double-check the network is using WPA2. While this alone is not a guarantee of protection or security, it does lower the likelihood that a nefarious character is on the network. Wide open password-free networks are like the wild west and anything goes, avoid them. For those with their own wi-fi routers, remember that WEP is outdated and insecure, always use WPA2 security for wi-fi passwords.
While using a different browser and protected network is better than nothing, the importance of being on a protected network (and patching your devices when possible) can not be emphasized enough. To better understand why, a theoretical attack using the SSL/TLS vulnerability is described by CrowdStrike as follows:
“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
To put it simply, an attacker could use this flaw to intercept data, like email, passwords, banking information, communications, basically anything, if the attacker is on the same network as you, or is otherwise able to get between your computer and a remote server. This is why it is so important to avoid untrusted networks, it greatly mitigates risk.
So, let’s summarize: iOS devices should update to iOS 7.0.6 or iOS 6.1.6 NOW, using a trusted network. iOS users should actively forget wi-fi networks they do not trust. No user of any device should join untrusted networks until they install the appropriate patch, and are probably better off avoiding untrusted networks in general. All Mac users should install the appropriate security update for OS X right away when it has been released (yes, we’ll post about it when it’s out). It’s not a guarantee, but by following that advice, you’re certainly better off than not.