bit-tech.net

Apple hit by serious SSL security flaw

Apple hit by serious SSL security flaw

Apple's iOS and OS X software suffers from a serious security flaw, and while iOS has been patched OS X is still vulnerable and under active attack.

Apple's iOS and OS X operating systems have been hit by a serious - yet incredibly simple - flaw in their encryption system, leaving users open to attack on connections which should be secure and trusted.

Both Apple's iOS and OS X software packages, for its mobile and mainstream devices respectively, provide an encryption subsystem for developers to call when making use of SSL or TLS encrypted network connections. The subsystem is used by everything from the Safari browser and the operating system's built-in software update tool to Twitter and the Calendar application - but it has a serious flaw.

A simple coding error, repeating a line twice in the software's source code, skips over a step of the authentication process designed to ensure that the certificate used to encrypt a connection is from the target system and not a third-party - preventing man-in-the-middle attacks, where a fake connection with a fake certificate is used to capture and decrypt supposedly secure traffic.

It's a major flaw, and one that can expose usernames, passwords, and even allow an attacker to pose as Apple's own update server to have the operating system install malware. Worse, it's being actively attacked with security researchers pointing to in-the-wild exploits targeting Apple's user base.

The flaw came to light when Apple released an update for iOS 6 and iOS 7, dubbed iOS 6.1.6 and iOS 7.0.6 respectively. This update resolves the problem on affected iPhone, iPad, iPod Touch and Apple TV products, but the same flaw is shared in the desktop and laptop OS X operating system which has yet to receive an update.

The advice, for now, is to be extremely careful when using untrusted connections - in particular public Wi-Fi hotspots - and to switch from Safari to a third-party browser which uses its own authentication mechanism, such as Mozilla's Firefox or Google's Chrome.

4 Comments

Discuss in the forums Reply
mi1ez 24th February 2014, 21:11 Quote
I was under the understanding all iOS browsers had to use Webkit and were thus all subject to the same flaw?
brave758 25th February 2014, 03:48 Quote
Lol
Gareth Halfacree 25th February 2014, 09:09 Quote
Quote:
Originally Posted by mi1ez
I was under the understanding all iOS browsers had to use Webkit and were thus all subject to the same flaw?
When I advised the reader to switch to an alternative browser, I was meaning on the as-yet still unpatched OS X; a better fix for iOS is to install 6.1.6 or 7.0.6, which fixes the problem properly.
Gareth Halfacree 25th February 2014, 23:01 Quote
OS X 10.9.2 is out now, and according to my testing just now fixes the flaw. If you're an Appleite, update now - don't delay.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums