February 25, 2014
An SSL exploit remains alive and well in the current version of OS X Mavericks — four days removed from when Apple released a fix to resolve the same issue on iOS devices. One New Zealand security consultant has now successfully developed a proof of concept for the actively open OS X exploit, also known as "goto fail,” according to ZDNet. In a blog post, Nullcube’s Aldo Cortesi confirms that a modified man-in-the-middle proxy is all it took to take advantage of the open hole in OS X Mavericks. As a result, "I've confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks," he wrote. More worrisome:
"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured." Cortesi said that iCloud data, including KeyChain enrollment and updates, data from Calendar application, and traffic from apps that use certificate pining, such as Twitter.It took Cortesi less than 24 hours to develop the proof of concept, which he won’t be releasing to the public “until well after Apple has deployed its patch for OS X.” He notes:
It's difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic.Beyond turning your machine off and disconnecting it from the Internet, there is little that Mac users can do until Apple releases a fix. Hopefully, the wait won't be much longer. If you haven't yet done so, be sure to update your iOS devices to iOS 7.0.6. Apple has also released iOS 6.1.6 to resolve the issue on older devices. The updates can be downloaded through iTunes or directly from an iOS device by going into the Settings app, then General > Software Update. See also: This New Security Flaw Makes iOS Susceptible To Key-Logging, and Jailbreakers Can Now Untether iOS 6.0.6 Using P0sixspwn.