Client Alert #29 Apple "gotofail" Security Update
Please read this entire alert!
Apple "gotofail" Security Update
On Friday, Apple released a security update for iPhones and iPads. Not an unusual occurrence by itself: Apple frequently provides security updates for the software on their devices. This particular update is generating a lot of noise in the press and creating a higher than normal level of confusion and concern. Let’s outline who’s affected, what this update addresses, what the risks are, and what you should do:
What is it? What devices are affected?
The issue that Apple identified is a bug in the code that manages how Apple devices communicate securely with servers, such as Google, online banks, email, etc. Because of this flaw, an eavesdropper could hijack network traffic using what’s known as a “man-in-the-middle” attack. If you used a public WiFi connection (at a coffeehouse, hotel, or airport, etc.), this flaw could allow someone to interject themselves electronically into transactions you make on your iPhone or iPad, granting them access to your information.
Since the release of the updates on Friday, security researchers believe that this vulnerability exists within OS X as well, but Apple has declined to verify this. Currently, it is known or assumed that it affects:
All iOS devices running iOS 6 or 7
Macs running Mac OS X
What are the risks? Has my device been compromised?
The likelihood that your information has been compromised is very low. There has not been a widespread “attack” and there’s no evidence that there has been large scale exploitation of this flaw. This type of attack would most likely occur at a public WiFi location, with an attacker targeting specific users.
What should I do?
First of all, don’t panic. Just because you’ve used the WiFi at Starbucks doesn’t mean you’ve been compromised. As we stated above, it is very unlikely that your device has been targeted.
Next, apply the update as soon as possible. As with all OS updates, be sure to have a good backup of your device before you update. We’re recommending that you do this via a “hard sync” - physically connecting your device to your computer. While it is possible to update “over the air” on the device itself, in rare cases there can be problems resulting in data loss or rendering your phone non-functional. The most reliable method to update your iOS devices is as follows:
iOS Update Steps:
1. Launch iTunes on your Mac and connect your iOS device using the cable. You’ll probably get a popup asking if you want to do the update now. If so, click on “Download only.”
2. On the device summary screen in iTunes, ensure that the “Encrypt local backup” checkbox is selected. When you select this for the first time, iTunes will prompt you for a password. We generally recommend using the same password as you use for your computer. Also check “Save in Keychain”.
3. Next, click on the “Back Up Now” button to start a backup to your computer.
4. Once the backup is complete, click on the “Check For Updates” button to update your device.
NOTE: If you are running iOS 6, you do not have to update to iOS 7 at this time. If you’re running iOS 6 and you see different options, please call us before proceeding. We can help you review your options.
What does the update do?
Apple has released updates for all iOS devices (iPhone, iPad & iPod Touch) and for the Apple TV. If you’re running iOS 6, the security update is version 6.1.6. If you’re running iOS 7, the update brings it to 7.0.6. The Apple TV update is version 6.0.2.
The security update addresses this flaw and prevents this type of malicious activity.
In spite of the seriousness of this security update, you should treat this one the same as all security updates from Apple: Ensure you have a good backup of your device and apply the update as soon as convenient. When Apple releases the expected updates to OS X, you should apply that update to your computer. It is expected that Apple will release a similar security update to Mac OS X very shortly.
We will be sharing additional security tips and best practices in future client updates. As always, if you have any questions about this issue, backing up, or updating your devices, please don’t hesitate to contact your Call Andy! engineer.
As always, please contact your Call Andy! engineer before making any major change such as this one. We can certainly answer all your questions, and if necessary, help you to successfully make the move to this new Mac experience.
As always, thank you for your continued reliance on us as your Mac IT resource.
Andy, Rob and Max