Printed from http://www.electronista.com

SSL vulnerability revealed as major issue; forced release of iOS patch

updated 04:15 pm EST, Sun February 23, 2014

OS X said be vulnerable to same style of attack, patch to come

On February 21, Apple released a patch for iOS bringing iOS 7 and 6 to versions 7.06 and 6.16 (respectively), with little fanfare as to why the patch was issued. However, it now appears to have had more to it than a simple fix to SSL connections. The release notes mentioned a Secure Socket Layer (SSL) vulnerability for "an attacker with a privileged network," meaning that a flaw in the SSL implementation could conceivably allow for a "man-in-the-middle" attack as uncovered by ZDNet.

The patch fixes a vulnerability that was keeping the system from doing SSL/TLS hostname checks, leaving communications unencrypted that were meant to be encrypted. The flaw could leave data such as passwords and personal information open to interception by someone on the same network that was using software to decode transmissions. In ZDNet's report, "the vulnerability allows anyone with a certificate signed by a 'trusted CA' to do a man-in-the-middle (MITM) attack." The flaw could very well be how the NSA claimed to be able to spy on iOS devices in the past, though there is no firm evidence of that -- or of any significant use of the loophole -- thus far.

Phil Plait of Slate has noted that the patch itself has also caused problems, and is said to have "bricked" several Apple devices for some users, including issues which he documented with his own iPad 2.

OS X has apparently also been open to a similar flaw, possibly for several months, perhaps even dating back to version 10.7. In a statement issued from Apple spokeswoman Trudy Muller to Reuters on Saturday she said that the company is "aware of this issue, and already have a software fix that will be released very soon." No official date has been announced, though it should be noted that there have also been no reports of system compromises that can be tied to this bug thus far. In the meantime, users may wish to tread carefully in engaging in sensitive activities on public Wi-Fi networks with Macs until the update for OS X is released.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. Mechanic

    Fresh-Faced Recruit

    Joined: 12-11-11

    Forced my ass it was coming out because of the bug no one forced apple to do anything.
    No news here. Yawn¡ Move on

  1. Sebastien

    Registered User

    Joined: 04-29-00

    I was reported by developers. To not publish it ASAP would be borderline criminal.

  1. Grendelmon

    Dedicated MacNNer

    Joined: 12-26-07

    Originally Posted by MechanicView Post

    Forced my ass it was coming out because of the bug no one forced apple to do anything.
    No news here. Yawn¡ Move on



    Yeah, it's no news at all.

    http://au.ibtimes.com/articles/540263/20140224/apple-inc-mac-os-bug-ssl-tls.htm

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Logitech Hyperion Fury mouse

Selecting the correct gaming mouse comes down to finding a device that balances the needs of a user with a price they can afford. Ofte ...

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in mi ...

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Sponsor

toggle

Most Commented

 
toggle

Popular News