Apple issues critical iOS SSL patch; OS X still vulnerable


Apple issues critical iOS SSL patch; OS X still vulnerable

SearchSecurity Staff

Apple Inc. has released a new version of its iOS mobile device operating system to address a flaw that could enable attackers to intercept and manipulate encrypted network data.

Late Friday, the Cupertino, Calif.-based vendor released iOS 7.0.6

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

for iPhone 4, later fifth-generation iPod touch devices, and iPad version 2 and later. According to Apple, until the patch is installed, an attacker with a privileged network position may be able to capture or modify data in SSL/TLS sessions.

The SANS Internet Storm Center (ISC) noted that the bug makes SSL/TLS sessions vulnerable to man-in-the-middle attacks.

"This bug makes SSL worthless if an attacker is on the same network as you," said Rich Mogull, CEO and analyst with research firm Securosis LLC, in a blog post Saturday. "If you are in an enterprise, either push the update with MDM as soon as possible, or email employees to self-update all their devices."

However, security researcher Adam Langley confirmed over the weekend that OS X is also vulnerable, up to and including version 10.9.1, released in December. An OS X patch has not been released as of Sunday night, but SANS ISC reported that Apple has confirmed the issue in OS X and that a patch is "coming soon."

Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted.

Mogull noted that it is unusual for Apple to issue a one-off, out-of-band patch, speculating that it may be an indicator that the flaw was about to be publicly disclosed or that it is being actively exploited in the wild.