How bad is Apple’s SSL security bug?

iPad Air side

Apple yesterday released iOS 7.0.6 (and iOS 6.1.6 for devices that didn’t support iOS 7), and it contained a massive fix. At the time, it wasn’t clear how necessary this patch was. But today, it’s obvious that literally everyone should be updating to iOS 7.0.6. Don’t believe me? Ask pod2g, a famed developer/hacker that has helped bring various jailbreaks into existence:

Apparently this bug wasn’t in any version of iOS 4, so it seems that it was introduced sometime in iOS 5 or 6. That means that this vulnerability has been open for at least a year, but probably slightly more.

That’s a massive hole, and Apple should be ashamed that this went unnoticed for so long.

New-iMac

However, I’m hopeful that all isn’t completely lost. This hole in iOS (and OS X — it’s present there, as anyone that tries gotofail.com, a way to test and see if you are vulnerable, in Safari under OS X can attest to) hasn’t been widely known, or likely used in any mass attack to steal information. How do I know this? Because it hasn’t been publicized.

It hasn’t been picked up by security researchers going through forums across the internet. As an avid listener of Security Now, a podcast hosted by Steve Gibson that discusses the latest news and developments in crypto and security in computers, there seems to be a trend that occurs:

  1. Hacker finds exploit.
  2. Hacker demonstrates that it works.
  3. Hacker discusses said exploit on some forum, where the post is seen by some security researcher who then begins investigating.
  4. Security researcher either goes to Apple or to the press, while the hacker may or may not be able to use the exploit to cause major damage.
  5. If the hacker is able to cause major damage, the press gets involved, and the story blows up from there.

I haven’t seen any major news stories that could be due to this hack, which leads me to believe that it hasn’t been used in any major way.

What I’m not saying: that this is excusable, or that we shouldn’t care. This is a pathetic mistake on Apple’s part. This should have been caught by regression testing before it got out the door, but certainly within a few months. Forget the bugs or design issues in iOS 7 or Mavericks, this is the type of issue that has me questioning Apple’s software quality.

Anyways, here’s some good advice, again from pod2g:

If you’re worried about your jailbreak, never fear: evasi0n7 has been updated.

Post a response / What do you think?