Help Protect a Mac from the SSL / TLS Security Bug

Feb 22, 2014 - 18 Comments

Wi-Fi security

Apple recently released iOS 7.0.6 with an important security update for iPhone, iPad, iPod touch users – if you have an iOS device, you should install that update right away. Though the 7.0.6 bug fix description was initially vague, further information we’ll detail below points to just how potentially serious the security issue is (or was) – basically, someone could intercept your data given the proper circumstances – and while the problem has been patched on the iOS side, the same security flaw exists for OS X for the time being (the bug has been fixed with OS X 10.9.2).

Yes, Apple will likely push a bug fix to Mac users in the near future, and all Mac users should install that update right away when it arrives. Until then, you can take some simple precautions to help protect yourself and your Mac from harm. Though this is general advice focused on helping to prevent trouble from the active OS X SSL/TLS security bug, these simple tips are actually good basic network security protocol to follow in general. Advanced users will probably already know what to do (or rather, what not to do), but if you’re unfamiliar with good network practice then you may learn something new.

Update: Mac users can now download the OS X 10.9.2 update to fix this security hole completely. The advice below is still valuable for general wi-fi and network security, however.

3 Easy Tips to Help Protect a Mac from the SSL / TLS Security Flaw

  1. Avoid all untrusted networks – that mysterious open wi-fi router that you sometimes connect to when your internet is slow because your brother/mom/roommate is streaming Netflix? Don’t connect to it. The router that doesn’t ask for a password at the local coffee shop? Avoid it. Connect to trusted and secured networks only, whether they’re at work, school, or home. It can’t be said enough; do not join any untrusted wireless networks until the machine has been patched.
  2. Check your web browser with GoToFail to determine if the browser itself is vulnerable – if it is found to be vulnerable, consider temporarily using another updated web browser until the flaw has been patched (the latest versions of Chrome and Firefox are reportedly fine for now)
  3. Be sure the trusted wi-fi network uses WPA2 security active – this means it requires a password when connecting to the router, though you will still want to double-check the network is using WPA2. While this alone is not a guarantee of protection or security, it does lower the likelihood that a nefarious character is on the network. Wide open password-free networks are like the wild west and anything goes, avoid them. For those with their own wi-fi routers, remember that WEP is outdated and insecure, always use WPA2 security for wi-fi passwords.

While using a different browser and protected network is better than nothing, the importance of being on a protected network (and patching your devices when possible) can not be emphasized enough. To better understand why, a theoretical attack using the SSL/TLS vulnerability is described by CrowdStrike as follows:

“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”

To put it simply, an attacker could use this flaw to intercept data, like email, passwords, banking information, communications, basically anything, if the attacker is on the same network as you, or is otherwise able to get between your computer and a remote server. This is why it is so important to avoid untrusted networks, it greatly mitigates risk.

Those interested can read additional technical information about the bug at ImperialViolet, and some more simplified details at Wired.

So, let’s summarize: iOS devices should update to iOS 7.0.6 or iOS 6.1.6 NOW, using a trusted network. iOS users should actively forget wi-fi networks they do not trust. No user of any device should join untrusted networks until they install the appropriate patch, and are probably better off avoiding untrusted networks in general. All Mac users should install the appropriate security update for OS X right away when it has been released (yes, we’ll post about it when it’s out). It’s not a guarantee, but by following that advice, you’re certainly better off than not.

.

Related articles:

Posted by: Paul Horowitz in Mac OS, News, Security

18 Comments

» Comments RSS Feed

  1. George says:

    Scott made me glad I am using VPN when needed and I am using his example for a provider. I also am using VPN on my Samsung S3 when using my free Wi Fi calling on T Mobile at rural McDonalds when I can’t receive a T Mobile link.

    Apple should be ashamed of themselves – two Goto’s equals go to Hell.

  2. Users can also be compromised if they visit a malicious site with a “homespun” SSL certificate that doesn’t have a valid key. This does not require privileged network access.

    If you can see this site:

    https://www.imperialviolet.org:1266/

    Your device or computer has this vulnerability. Chrome for iOS and OS X doesn’t have this issue.

  3. atjen says:

    Almost all apps are vulnerable to this right now, including: Safari, Mail, Keynote, Twitter, Software Update, FaceTime, Calendar, Evernote, and so many more. OS X needs a universal fix ASAP! This is very bad PR for Apple.

  4. MacGeekFool says:

    This issue, IMO, is just more proof that Apple has lost interest in OS x and is throwing it’s computer users to the trash heap.

    Mavericks was released as a steaming pile of guava, and the fact that they patched iOS first shows they would rather nurture their cash cow than the systems that got them on the map.

  5. George says:

    Wait a minute… VPN does’t use the same SSL/TLS protocol to connect?

  6. bspiral says:

    Average people know nothing of … oh wait, we can teach them. Instead of knocking people for their lack of understanding and simply discarding valid solutions… make a suggestion.

    If you travel a lot and need to connect to untrusted wifi or on internet connections that are not trustworthy… get a VPN connection back to your office or purchase a 3rd party VPN service. It secures your data from your computer to the VPN end point.

    http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm

    • Ollie says:

      If someone is reasonably technical then a VPN can make sense. A great provider is https://www.privateinternetaccess.com/ it’s $6 a month but also anonymizes data (not that it matters for this situation), so it’s two-in-one: secured transfer + anonymous internet.

      PLUS it works to get around those annoying country and region specific things too, like watching the Olympics actually LIVE rather than a 16 hour tape delay that has been heavily cut to some Reagan era coldwarriorish malarkey like we’re all stuck in the 1980’s with the rest of NBC.

  7. Wut says:

    Average people know nothing of VPN usage, let alone how to find a good one or set one up. VPN is good but not an option for mom et al

  8. Scott says:

    The three easy tips are pretty inadequate.

    Sometimes (as when traveling) the use of untrusted networks is unavoidable. WPA2 might protect you from the guy in the chair over there in the corner of Starbucks, but not against the Evil Barista who pwned the router, or a corrupt ISP. And checking your browser does nothing about the dozens of processes in your computer (such as email!) which rely on the OS to manage SSL/TLS encryption.

    There is a fine workaround, though: As detailed at http://unvexed.blogspot.com/2014/02/how-to-work-around-latest-man-in-middle.html you can use a VPN when accessing secure sites and services with your unpatched system. This will tunnel you right past the Evil Barista and the corrupt ISP.

    • Paul says:

      Using VPN through a secure server is great advice, but most users don’t have access to a VPN service or a remote secured server handy to use for that.

      Per Reuters, sounds like an update for OS X is coming from Apple soon http://www.reuters.com/article/2014/02/22/us-apple-encryption-idUSBREA1L10220140222

    • l0l3rs says:

      Actually, the VPN protocol in OS X is vulnerable too. That means VPN is also not safe and, well, using your own words “inadequate”. So your haughty “everything sucks but my idea here is my self promotional blog link” comment is completely wrong. Way to go!

      Now, not using untrusted networks? That is great advice, stick to it (even after the patch arrives today).

  9. Tiny Mite says:

    Good advice, thanks.

    So what’s the best way to check WPA2 security on routers? I don’t see that when I connect to a router.

    • bspiral says:

      On a Mac if you just click on the wifi icon in your menu bar, you’ll see a lock icon for encrypted wifi networks, but to see what kind – hold down option while clicking the wifi icon in your menu bar.

      You’ll see details of the wifi connection. Look for:

      Security: WPA2 Personal

  10. weirdy says:

    This is pretty, uh, “weird” timing, to say the least. Everyone should read this:

    http://daringfireball.net/2014/02/apple_prism

  11. David M says:

    This is a pretty egregious security hole to sit around for apparently years, it basically negates SSL protection. I say do the following:

    * Use Chrome or Firefox until the OS X Security Update arrives to patch Safari

    * Don’t transmit data from apps over untrusted networks (Software Update, App Store, iTunes, Evernote, anything that syncs online – don’t do it!)

    Most corporate and home networks are safe enough, but the bigger the network with more clients, the more potential for one of them to be untrusted. Always use appropriate precautions where ever you are.

  12. w0n t0n says:

    There is no shortage of conspiracy theory about this one, #gotofail on Twitter is like reading the security hole version of ZeroHedge and DrudgeReport

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site