Macs vulnerable to SSL bug – take care until patch released, expected shortly

The bug: Known as the ‘goto fail’ vulnerability, a faulty line of code prevents the Mac from recognising that the remote computer it is exchanging information with does not have a genuine, secure certificate. It recognises a certificate is present and continues exchanging information even though it can’t authenticate which organisation signed the certificate.

The problem: The bug has existed in the code for many months, but the flaw is now well-publicised and the chances of it being exploited are much higher. An update from Apple is expected very shortly which will correct the code and remove the flaw.

Although the flaw is most easily demonstrated in Safari, any Mac software that uses SSL (secure socket layer) or TLS (transport layer security) is compromised, including Mail, Messages, Calendar, Facetime and even connections to the AppStore. This leaves communications between Macs and servers open to ‘man-in-the-middle’ attacks, where communications between, say, your Mac and your bank, which should be secured by SSL/TLS, are hijacked by a third-party and information including account details and passwords could be intercepted.

GoTo Fail Bug

What to do: There are no reports, yet, of the vulnerability being exploited, but it’s likely it won’t be long. Until Apple releases their patch, it is prudent to avoid using Safari (and other apps, though they’re unlikely to carry such sensitive information) for sending valuable information. If you need to use your Mac for online banking it would be wise to use Firefox or Chrome which use different implementations of SSL and TLS.

Apple released a patch for iOS, for iPhones and iPads, over the weekend – taking iOS to version 7.0.6. It is strongly recommended that you patch all iOS devices as soon as possible as they are affected by the same vulnerability before the patch is applied. Connect the device to the mains, with internet access, click Settings, General and Software Update then follow the instructions.

Update: Apple has released OS X update 10.9.2 which includes a fix for the major SSL security flaw mentioned yesterday. Although it’s believed (Apple haven’t been too forthcoming with details) the SSL bug affects Mavericks (10.9) only, the recently released updates cover Mavericks, Mountain Lion and Lion.

Mac users are recommended to update their software (click Apple logo, Software Update, or click the App Store and right-hand button, ‘Updates’) – although the software may be set to update automatically, manually selecting Software Update or visiting the App Store will force the update through immediately. The update will take a few minutes to download and longer to install, around a ten-minute process in total, requiring a reboot.

“I would trust them with all my worldly possessions.”

Gavin Ucko, The Happy Puzzle Company

“Trusted technicians who don’t bamboozle us with technical jargon.”

Suzanne Fuzzey, Royal College of Physicians

“Without doubt the best bunch of techy geeks I have worked with!”

Joanne Hawitt-Phillips, Alexandra Palace & Park Charitable Trust

“The loveliest and most helpful IT company I’ve ever come across.”

Llewellyn Mauricio, Family and Childcare Trust

“Technica Solutions are very special. Their back up service is second to none. We could not run our business efficiently without them.”

Gill Garside, DSA PR

“Technica Solutions have created more time during the day for fee earning work rather than administrative work. Bravo!”

Robert Beecham, Latitude Investments

“Innovative, cost effective and delivered as promised.”

Paul Simnock, MGR Weston Kay LLP

Contact Us

Looking for a better IT company? Come and have a chat

+44 (0)20 8236 9160

Technica Solutions
4 Hamilton Business Park
Stirling Way
Borehamwood
Hertfordshire
WD6 2FR

Remote support EMAIL US