iOS 7.0.6 / iOS 6.1.6 is now available

[Cosimo]

Patch for security flaw in SSL authentication:

iOS 7.0.6:

http://support.apple.com/kb/HT6147

iOS 6.1.6:

http://support.apple.com/kb/HT6146?utm_source=dlvr.it&utm_medium=twitter

 

[theheyes]

The fact they released this news last thing on a Friday probably means the bug is very serious, and that users should update as soon as possible.

 

[KIA]

Thanks for notifying us.

 

[Elrein]

I'm done with upgrading, I'm staying jailbroken forever more on ios 7.0.4

 

[Terminal_Boy]

The fact they released this news last thing on a Friday probably means the bug is very serious, and that users should update as soon as possible.

Or could it be that it took 5 days to test for regressions and they started on Monday morning?

 

[squerble]

The bug IS very serious, I found a few details online. Left all devices wide open to MITM attacks with little to no effort.

 

[theheyes]

Or could it be that it took 5 days to test for regressions and they started on Monday morning?

Possible, but I think damage control is more plausible. OSX is reportedly vulnerable to this flaw as well.

 

[Westyfield2]

Hopefully an update will fix the iOS 7 issue with camera forgetting it's set to HDR mode...

 

[theheyes]

Apple promises fix 'very soon' for Macs with failed encryption

http://www.reuters.com/article/2014/02/22/us-apple-encryption-idUSBREA1L10220140222

 

[iMacMart]

Hopefully an update will fix the iOS 7 issue with camera forgetting it's set to HDR mode...

Seems to have fixed it on mine

 

[HACO]

I just wish they release iOS 7.1 sooner. I have lots of bugs that I know are fixed in the 7.1 beta versions.

 

[Westyfield2]

The fact they released this news last thing on a Friday probably means the bug is very serious, and that users should update as soon as possible.

For those interested in programming, have a look at the old source code http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt and specifically line 631.

The first goto is bound to the if statement above, but the second goto isn't conditional and will always be executed. Result is that the SSL/TLS signature verification will never fail .

Lesson for programmers = Never use if statements without curly braces!

 

[KIA]

Apple SSL bug test site: https://gotofail.com/
Unofficial OSX patch: http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.html

 

[theheyes]

The first goto is bound to the if statement above, but the second goto isn't conditional and will always be executed. Result is that the SSL/TLS signature verification will never fail .

It's a schoolboy error but these things happen. The sloppiness with regards to testing is less forgivable but again, it happens. Nothing is perfect.

The company response when something like this does occur is what you should really make a judgement on. Which so far has been minimal unfortunately.

 

[Digit]

I'm done with upgrading, I'm staying jailbroken forever more on ios 7.0.4

No need to upgrade and still get the fix via Cydia

http://www.iphonehacks.com/2014/02/fix-ssl-bug-without-upgrading-ios-7-0-6-ios-6-1-6.html

Worked perfect for me on 7.0.4

 

[rpg]

Still vulnerable in certain situations with the patch though (root apps/tweaks; like iFile or Cydia) and obviously safe mode too - but for 95% of situations it's a good solution. I use Cydia for purchasing via PayPal so it's not safe enough for me, so I updated to 7.0.6 and re-jailbroke.

Also, I see there's another security flaw that's just come to light:

Newly Discovered Flaw In iOS Makes It Possible To Covertly Log Keystrokes

 

[Skyboat]

For those interested in programming, have a look at the old source code http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt and specifically line 631.

The first goto is bound to the if statement above, but the second goto isn't conditional and will always be executed. Result is that the SSL/TLS signature verification will never fail .

Lesson for programmers = Never use if statements without curly braces!

Actually, this is one of the reasons why I can't warm to Python. Curly braces beats indentations any day of the week.

 

[gjrc]

I just wish they release iOS 7.1 sooner. I have lots of bugs that I know are fixed in the 7.1 beta versions.

what bugs?

 

[Trig]

Anyone else had random message issues with this?
We've just done one of the iPhones in the office and theres a load of text messages gone missing...

 

[iMacMart]

HDR off isn't fixed on my 5