On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.
I’ve just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.
This bug affects all applications that rely on Apple’s SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it’s not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.
What you should do:
- iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
- OS X 10.9.x: Apple promised a fix would be available soon. Update as soon as it is released. The vulnerability has been fixed in 10.9.2. Update immediately.