Apple drops iOS update to plug securty hole, but OS X may be affected too
22nd Feb 2014 | 13:49
Secure connection? Not so secure
The flaw in the way iOS devices handles secure sockets layer (SSL) and transport socket layer (TSL) authentication could allow for data to be intercepted by third parties the company said.
In its release notes, Apple claimed to have had restored "missing validation steps" in order to nix the bug, but said it did not divulge the full nature of security issues until an investigation had taken place.
It wrote: "Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
"Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."
OS X affected too?
It is not known whether the flaw had been exploited, but one expert, Johns Hopkins University cryptography professor Matthew Green, called the oversight "as bad as you could imagine."
Security firm CrowdStrike took a look around the iOS 7.0.6 and concluded that Mac OS X devices are at risk from the flaw too, and said it expects Apple to launch an update for its desktop software too.
Explaining the nature of the flaw in layman's terms, Crowdstrike wrote: "To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.
"This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favourite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system)."
So there you have it. We have no idea how long these "missing steps" were missing, or whether they've always been absent. Needless to say, it's advisable to get on that iOS 7.0.6 update with a quickness.