Sign in with
Sign up | Sign in

How to Install Apple's Latest iOS Security Patch Right Now

By - Source: Tom's Guide US | B 6 comments

UPDATE: Apple has also released a patch for the version of this vulnerability on its OS X platforms, as part of the update to OS X 10.9.2. All users are strongly encouraged to download this update.

CORRECTION: An earlier version of this story said the updated version of iOS 6 would be 6.1.3. It is 6.1.6.

Apple's latest update to iOS, released Friday (Feb. 21), doesn't seem important at first. But the update actually fixes a serious security flaw, possibly caused by a single stray line of code, which leaves hundreds of millions of iPhones and iPads vulnerable to hackers.

Even worse, the flaw seems to affect recent versions of Mac OS X, for which a patch is not yet available.

MORE: Mobile Security Guide: Everything You Need to Know

If you have a device running iOS 6 or 7, and you're not connected to a stranger's Wi-Fi network, patch it now — we've got instructions below. If you're running Mac OS X on a laptop, don't use public Wi-Fi networks, even those at your favorite coffeeshop.

The flaw also affects second- and third-generation Apple TVs, which received a patch.

"I know what the Apple bug is," tweeted Matthew Green, a cryptography expert who teaches at Johns Hopkins University in Baltimore. "And it is bad. Really bad."

Stay off the Starbucks network

In the Apple security bulletin issued Friday night (Feb. 21), Apple said only, "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS ... Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."

Software vendors releasing emergency patches are often intentionally vague in order not to give would-be attackers any tips.

It's not clear how long the vulnerability has existed. Devices back to the iPhone 3GS, first released in June 2009, are affected, but the flaw could have been introduced in a later software update.

Apple provided no information about the exposure of Mac OS X devices to the flaw.

Google network-security engineer Adam Langley confirmed in a blog posting early Saturday (Feb. 22) that the flaw existed in OS X 10.9 (Mavericks), but added that Google Chrome and Mozilla Firefox browsers on OS X were not directly affected. (All browsers on iOS would be affected, since they're actually Safari underneath.)

To see whether the vulnerability exists on your system, try to open this URL Langley created: https://www.imperialviolet.org:1266/. If you can see a Web page, you're vulnerable.

Security firm CrowdStrike advised users of iOS devices and OS X laptops to not use untrusted Wi-Fi networks until patches had been installed.

"Do not use untrusted networks (especially Wi-Fi) while traveling, until you can update the devices from a trusted network," wrote CrowdStrike's Alex Radocea in a blog posting. "On unpatched mobile and laptop devices, set 'Ask to Join Networks' setting to OFF, which will prevent them from showing prompts to connect to untrusted networks."

Regarding the vulnerability of OS X devices, Radocea wrote only, "We expect Apple to release an update soon."

We'll get into the technical details of this software flaw, but first, here's how to update your iOS and Apple TV devices.

How to update an iOS device

To update your iOS device, first make sure you're on a trusted, password-protected home or office Wi-Fi network. Don't use the Wi-Fi in a public place, even if it requires a password.

If your wireless carrier's 3G/4G signal strength is good and you don't mind using up some cellular data, turn Wi-Fi off.

Connect the device to a power source if possible. Some software updates take time to download and install.

Tap the Settings icon on your device's home screen, then tap General, then Software Update.

If you're running iOS 7, you'll be prompted to install iOS 7.0.6; if iOS 6, it'll be iOS 6.1.6.

Tap Download and Install. If you're prompted again to confirm the installation, tap Install.

Your device will restart when the installation is complete.

This update is for iOS 6 and 7, applying to iPhone 3GS and later, iPad 2 and later and iPod Touch fourth-generation and later.

How to update Apple TV

To update Apple TV, select Settings, then General, then Software Update.

The device will check for an available update; if your device is eligible for this one, the update will be Apple TV 6.0.2.

Select Download and Install. The Apple TV light will flash during the process, and the Apple TV will restart once the installation is complete.

The update is for second-generation and later Apple TVs.

You don't see me, but I see you

From Apple's statement, it appeared that the flaw permitted a man-in-the-middle attack upon secure Internet communications by an attacker sitting on the same local network — coffeeshop or airport Wi-Fi, for example — as the victim.

Man-in-the-middle attacks occur when an attacker intercepts a communication between two parties, and then impersonates each party to the other.

Say Alice and Betty are communicating, but Clyde stages a man-in-the-middle attack. To Alice, he pretends to be Betty, and to Betty, he pretends to be Alice. Clyde now controls the messages Alice and B are exchanging, and can read, change or redirect them without Alice or Betty being aware of his presence.

Using such an attack, a stranger sitting in a hotel lobby or cafe could intercept other people's online banking activity, social-media postings, email messages and so on. He could even try to inject malware by creating fake software downloads.

MORE: Aviator: Hands-On With the Most Secure Web Browser

You can goto your own way

Cryptography experts immediately tried to figure out what was wrong with Apple's implementation of Secure Sockets Layer (SSL), the protocol that underlies almost all Web-based secure connections. 

A few figured it out quickly — and were scared at what they saw.

"I'm not going to talk details about the Apple bug except to say the following," tweeted Green. "It is seriously exploitable and not yet under control."

Google's Adam Langley initially tweeted Friday evening that he was also going to "keep quiet" about the bug.

But other software experts posted code snapshots overnight of what they believed what might be the flaw, and it made its way to online forums.

Noting that "the cat's out of the bag," Langley broke his silence in his Saturday blog posting, revealing that the devastating software flaw apparently derives from a single repeated line of code in Apple's open-source SSL implementation

The code looks like this:

  if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;

Notice the repeated "goto fail;". That shouldn't be there. Langley explained that that repeated line of code effectively disables verification of the digital signatures underlying SSL, with the result that all signatures pass the verification check and "everything falls apart."

"The first one is correctly bound to the if statement, but the second, despite the indentation, isn't conditional at all," Langley wrote. "The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail."

Our friends in Fort Meade

The security community on Twitter indulged in gallows humor about the Apple security flaw overnight.

"iOS/OSX SSL bug is like suddenly realizing that you've been walking around without pants for the past month," tweeted independent security researcher and journalist Ashkan Soltani. "All your privates are exposed."

Some joked that the National Security Agency, based in Fort Meade, Md., must have at some point in the past exploited the newly revealed flaw to snoop upon Apple users.

"I heard that in Maryland some parties 'with a privileged network position' are opening Champagne to celebrate this iOS bug," tweeted Chaouki Bekrar, head of a French firm that finds zero-day vulnerabilities — previously unknown software flaws — and sells them to government agencies.

"More likely they're holding a funeral for it," replied Melissa Elliott, a security researcher with Veracode in Burlington, Mass.

"I'm sure the Apple bug is unintentional," noted Green. "But man, if you were trying to sneak a vuln into SSL, this would be it."

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -1 Hide
    Efunn , February 22, 2014 8:10 AM
    Thank you!But my iOS is 6 on a 4G and the only upgrade choice I have is for 7, which I don't want.Please help.
  • 3 Hide
    ddpruitt , February 22, 2014 9:48 AM
    Jesus Christ! I thought Apple had much better software engineers/coders than this. This is a piss poor piece of code, did they have a high-school drop out write it? Real testing obviously isn't being done on their security code since proper whitebox testing wouldn't have caught this. If this "slipped" through, I shudder to think about what else lies beneath. A better way to write this section of code is:
    1. if (!(ReadyHash(hashRef, &hashCtx && hashRef->update(&hashCtx, &clientRandom) && hashRef->update(&hashCtx, &serverRandom) && hashRef->update(&hashCtx, &exchangeParams) && hashRef->final(&hashCtx, &hashOut)))
  • 2 Hide
    house70 , February 22, 2014 1:45 PM
    A former NSA employee famously stated that they can , and always will, break into any iPhone they want. Knowing that, these patches are irrelevant.
  • Display all 6 comments.
  • -2 Hide
    otacon72 , February 22, 2014 8:00 PM
    Update came out yesterday and I updated yesterday...didn't have to wait 6 months with other not-to-be-mentioned mobile OSs..lol
  • 1 Hide
    axefire0 , February 22, 2014 9:35 PM
    Will Apple be liable for losses due to this flaw?
  • 1 Hide
    oceanskate999 , February 23, 2014 2:37 AM
    And to think some of the original thinking, before apple got big, and the defense as to why they'd go apple mac instead of say pc, was that apple's OS was built so much better and didn't really have any tendency to be exploited or to have bugs etc. As a programmer, I laughed at this for decades and secretly knew it was only down to obscurity. Now that they are getting their wish wit soaring popularity, I hear about some new apple flaw every week. It doesn't matter whether it's on a mac, an iphone, an ipod etc. I just keeps happening. Someone can argue that somehow it's better, but that's really a fantasy. If it were really what apple kept trying to hint it was, all these i-devices wouldn't keep having problems. And to those who say, No duh, every thing gets glitches, bugs, malwares, problems, I say, true, but then why was that the big excuse for apple 5 years ago? Look where they are now. And in fact, because being popular is new, they aren't very hardened against attacks. They are security weaklings. It's been proven over and over. I remember when I said, just wait, when it gets popular the shit will hit the fan. And that shit is starting to hit. The only thing consumers are now left with is an overly arrogant, slow to update company full of lies, empty promises and higher costs. Anyone defending this will just make me chuckle further as I've been reading these things for years already anyway.. mac defender anyone?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS