Apple drops iOS update to plug securty hole, but OS X may be affected too

Apple drops iOS update to plug securty hole, but OS X may be affected too
Missing steps added to cure vulnerability in iOS 7

Apple has dropped iOS 7.0.6 to fix a previously unheard of security issue, which left iPhones and iPads vulnerable to hackers operating on the same unsecured wireless network.

The flaw in the way iOS devices handles secure sockets layer (SSL) and transport socket layer (TSL) authentication could allow for data to be intercepted by third parties the company said.

In its release notes, Apple claimed to have had restored "missing validation steps" in order to nix the bug, but said it did not divulge the full nature of security issues until an investigation had taken place.

It wrote: "Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

"Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."

OS X affected too?

It is not known whether the flaw had been exploited, but one expert, Johns Hopkins University cryptography professor Matthew Green, called the oversight "as bad as you could imagine."

Security firm CrowdStrike took a look around the iOS 7.0.6 and concluded that Mac OS X devices are at risk from the flaw too, and said it expects Apple to launch an update for its desktop software too.

Explaining the nature of the flaw in layman's terms, Crowdstrike wrote: "To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake.

"This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favourite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system)."

So there you have it. We have no idea how long these "missing steps" were missing, or whether they've always been absent. Needless to say, it's advisable to get on that iOS 7.0.6 update with a quickness.

Via Reuters

Chris Smith

A technology journalist, writer and videographer of many magazines and websites including T3, Gadget Magazine and TechRadar.com. He specializes in applications for smartphones, tablets and handheld devices, with bylines also at The Guardian, WIRED, Trusted Reviews and Wareable. Chris is also the podcast host for The Liverpool Way. As well as tech and football, Chris is a pop-punk fan and enjoys the art of wrasslin'.