The Latest in IT Security

Apple Fixes Dangerous SSL Authentication Flaw in iOS

22
Feb
2014

iOS SSL Validation Flaw Enables Man-in-the-Middle Attacks

Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw (CVE-2014-1266) in the mobile popular OS.

The 35.4 MB update on an iPhone 5S, released by Apple on Friday, brings the latest version to iOS 7.0.6 and provides an SSL connection verification fix.

While Apple provides very little information when disclosing security issues, the company said that an attacker with a “privileged network position could capture or modify data in sessions protected by SSL/TLS.”

According to Apple’s security notice, “Secure Transport failed to validate the authenticity of the connection.” Apple says it has addressed the issue by restoring the missing validation steps.

“While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through MitM (Man-in-the-Middle) [attacks],”Chaouki Bekrar, CEO and Head of Research at VUPEN, toldSecurityWeek.

For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications,Bekrar said.

Users should update their iOS devices as soon as possible, he added.

TheiOS 7.0.6update is available for Available for iPhone 4 and later, iPod touch (5th generation), iPad 2 and later. Apple also released an update (iOS 6.1.6) for older versions of iOS that supportsiPhone 3GS and iPod touch (4th generation).

The same flaw apparently affects Apple TV devices, as Apple released Apple TV 6.0.2 to address the same issue.

To get the latest iOS update, from your iOS device go to Settings General Software Update, and then tap on “Download and Install”.

Related: Exclusive Podcast – Vupen CEO Chaouki Bekrar Addresses Zero Day Marketplace Controversy at CanSecWest

*Upated to add details on software updates for iOS 6 and Apple TV.

Tweet

Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Apple Fixes Dangerous SSL Authentication Flaw in iOSGoogle Acquires Spider.io to Help Combat Online Ad FraudRisk I/O Enhances Vulnerability Threat Management PlatformCloudLock Launches Selective Encryption SolutionPindrop Security Combines Voice Biometrics and Phoneprinting to Detect Fraud

sponsored links

Tags: Mobile Security

NEWS INDUSTRY

Vulnerabilities

Related posts:
  1. Apple fixes a security vulnerability in iOS
  2. Apple readies security fix for Mac after iOS flaw
  3. Apple issues fix for glaring security flaw on Mac computers
  4. Apple issues fix for major security flaw on OS X
  5. Apple releases security flaw fix for Mac desktops and notebooks

Tags:  
Written by SecurityWeek
0 Comments
Comments are closed.

Categories

WEDNESDAY, APRIL 24, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments