Yesterday's iOS 7.0.6 update provided a fix for an SSL connection verification issue, which turned out to be a major security flaw in the operating system. In a support document, Apple noted the patch repaired a specific vulnerability that could allow an attacker with a "privileged network position" to capture or modify data protected by SSL/TLS.
In other words, iOS was vulnerable to a man-in-the-middle attack where an attacker could pose as a trusted website to intercept communications, acquiring sensitive information such as login credentials and passwords, or injecting harmful malware.
According to security firm CrowdStrike, OS X may be vulnerable as well, because it exhibits the same authentication flaw. OS X users are open to an attack on any shared wired or wireless network as SSL/TLS verification routines can be bypassed.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.
This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
The bug, which has been detailed by Google software engineer Adam Langley, may have been introduced in OS X 10.9. According to Hacker News users, it remains unclear whether the issue is fixed with the latest version of the software, OS X 10.9.2, which is currently only available for developers. Users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari.
It is likely that Apple plans to release a fix for OS X in the near future to repair the vulnerability, but in the meantime, CrowdStrike recommends avoiding untrusted WiFi networks while traveling. The site also recommends an immediate update to iOS 7.0.6 for users who have not yet installed the newest version of the operating system on their iOS devices.
Update: Apple has told Reuters that it is aware of the issue and has a software fix that will be released "very soon."
Thursday January 8, 2026 2:56 am PST by Tim Hardwick
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max.
One thing worth...
Friday January 9, 2026 8:17 am PST by Tim Hardwick
2026 could be a bumper year for Apple's Mac lineup, with the company expected to announce as many as four separate MacBook launches. Rumors suggest Apple will court both ends of the consumer spectrum, with more affordable options for students and feature-rich premium lines for users that seek the highest specifications from a laptop.
Below is a breakdown of what we're expecting over the next ...
Tuesday January 6, 2026 3:04 am PST by Tim Hardwick
CES 2026 has just provided a first glimpse of the folding display technology that Apple is expected to use in its upcoming foldable iPhone. At the event, Samsung Display briefly showcased its new crease-less foldable OLED panel beside a Galaxy Z Fold 7, and according to SamMobile, which saw the test booth before it was abruptly removed, the new panel "has no crease at all" in comparison.
The ...
Wednesday January 7, 2026 2:51 pm PST by Juli Clover
Though it's been just a few months since iOS 26 launched, we're already hearing rumors about the next-generation version of iOS, iOS 27. iOS 27 will be introduced at Apple's June WWDC 2026 event before it launches in September 2026.
We don't know all of the details about iOS 27 yet, but we do have some information about what to expect.
"Snow Leopard" Update
iOS 27 will apparently focus...
Wednesday January 7, 2026 12:57 pm PST by Eric Slivka
JPMorgan Chase has reached a deal to take over operation of the Apple Card, reports The Wall Street Journal. Barring any "last minute hiccups," the deal should be announced shortly after over a year of negotiations.
Reports began circulating over two years ago that current Apple Card issuer Goldman Sachs was looking to end its partnership with Apple as part of an effort to scale back on...
Wednesday January 7, 2026 5:27 am PST by Tim Hardwick
Logitech users on macOS found themselves locked out of their mouse customizations yesterday after the company let a security certificate expire, breaking both its Logi Options+ and G HUB configuration apps.
Logitech devices like its MX Master series mice and MX Keys keyboards stopped working properly as a result of the oversight, with users unable to access their custom scrolling setup,...
Wednesday January 7, 2026 11:27 am PST by Eric Slivka
OpenAI today announced the launch of ChatGPT Health, a dedicated section of ChatGPT where users can ask health-related questions completely separated from their main ChatGPT experience.
For more personalized responses, users can connect various health data services such as Apple Health, Function, MyFitnessPal, Weight Watchers, AllTrails, Instacart, and Peloton. Last month, MacRumors discovere...
Apple has lost another senior figure from its Safari team as a lead designer departs for The Browser Company, extending a pattern of high-profile exits from Apple's browser team amid intensifying competition around AI-driven browsing.
Marco Triverio was a lead designer for Safari and has now joined The Browser Company, the developer of the Arc and Dia browsers. The move was confirmed by The...
If this was a vulnerability in Flash, Windows, or Android there would be no end to the bashing that would be going on. Yet since it is Apple, users seem to be more accepting and are defending the company. Interesting indeed.
That's why I use Chrome, which gets security updates after every few weeks. :)
This has nothing to do with a particular browser. It's a flaw in the core OS X system security framework that software use to encrypt https (and other) connections.
The fact that Apple made iOS it's first priority is very revealing, they could have made it their highest priority to fix both iOS & OS X concurrently.
Furthermore, it reveals how sloppy they're getting. It should have been caught before it was shipped. One minute they patronize the masses, boasting how much they care about their customers, then they pull a stunt like this.
Microsoft wouldn't allow this to go ignored as long as Apple has.
$158.8 billion in cash reserves, and they don't hire a single security expert/programmer which at least skims through the core SSL code? :confused: :mad:
I still have ios 6 on my iPad and I don't want to upgrade to ios 7 just because of this security issue! This basically forces every one to upgrade to ios 7. so annoying!!!
"Apple has also released iOS 6.1.6 (build 10b500) for the iPhone 3GS and fourth-generation iPod touch."
Probably if you can upgrade to 7, you get 7.06, even you are still on IOS 6. I guess this is a really good way for Apple to get more people on 7.
How convenient. Apple will force everyone with a device capable of installing iOS7 to install it one way or another.... and then "brag" about the adoption of iOS 7.:rolleyes:
