Serious Apple Security Flaw Discovered in iOS and OS X
Apple (NASDAQ:AAPL) has acknowledged a major security flaw in its mobile iOS operating system software that could allow hackers to view or alter communication data on unsecured wireless networks, reports Engadget. Apple has already issued two updates – iOS 7.0.6 and iOS 6.1.6 — to address the security vulnerability. Per Apple, the iOS 7.0.6 patch repairs the security hole for iPhone 4 and later, iPod touch (fifth generation), and iPad 2 and later. The iOS 6.1.6 patch is available for the iPhone 3GS and the fourth-generation iPod touch.
“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” noted Apple on its support page for the security patch. “Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Unfortunately, the security flaw appears to extend beyond Apple’s mobile devices. According to security firm Crowdstrike, a similar security flaw is also present in Apple’s OS X operating system. Apple has yet to issue a security patch for OS X, although one is expected soon.
As noted by Crowdstrike, an attacker must stage a “man-in-the-middle” attack via an unsecured network in order to exploit the security flaw. “Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake,” stated Crowdstrike on its company blog. “This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”