Thoughts on the new Apple SSL vulnerability.

Posted: February 26, 2014. At: 11:53 AM. This was 4 years ago. Post ID: 7008
Page permalink: http://securitronlinux.com/it/thoughts-on-the-new-apple-ssl-vulnerability/

Now, we must convince Congress to stop the FCC. Can you display an alert?

The new Apple SSL vulnerability is a concerning bug in the Apple Macintosh iOS and desktop operating systems. This allows SSL spoofing as it will allow a faked SSL vulnerability to pass as a real one. Apparently it uses ports 1266 & 1267, if you block these with your firewall, this should alleviate this threat if you are running a vulnerable Macintosh operating system. I am testing this on OSX 10.8.5, but since I am behind a proxy, the test site at https://gotofail.com/# does not work properly, negating the test. The firewall is blocking the aforementioned ports. But this needs to be fixed properly by Apple. Bugs like this can hurt the image of Apple and their operating system. There is a patch available for Apple OSX Mavericks. This patch should be installed as soon as possible to protect your system. Get some information about this patch here: http://support.apple.com/kb/HT6150. There are also official Apple iOS updates that protect against this vulnerability. Get it here: http://support.apple.com/kb/HT6147. I am using an iMac right now to write this blog post. The mouse with the tiny ball scroll “wheel” takes some getting used to, but you can right-click after all. And you have to press Command-V to paste text instead of Ctrl-V. The lovely 1080p screen makes up for any other shortcomings, and you have access to a UNIX shell with the terminal app.

Here is the shell that you use.

Admins-iMac-166:~ admin$ echo $SHELL
/bin/bash

And here is the OSX 10.8.5 kernel version.

Admins-iMac-166:~ admin$ uname -a
Darwin Admins-iMac-166.local 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64

There are not that many commands available for the Apple terminal. The wget command is not available, but the ifconfig command works as usual.

Admins-iMac-166:~ admin$ ifconfig en1
en1: flags=8863 mtu 1500
	ether 00:1f:5b:c4:0e:b4 
	inet6 fe80::21f:5bff:fec4:eb4%en1 prefixlen 64 scopeid 0x5 
	inet 172.29.59.165 netmask 0xffffff00 broadcast 172.29.59.255
	media: autoselect
	status: active

So, with the patch applied, a Macintosh computer can be safe to use on the web again. Just be sure to use the test website link to test your SSL implementation.

No comments have been made. Use this form to start the conversation :)

Leave a Reply