Apple patches a dangerous SSL bug in iOS

Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.

According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
 

What does this mean?

When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many TAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.

 

What to do

You need to trigger an update of iOS.

If  you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.

ios-update2

 

This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.

ios-update

 

 

Other iOS Devices

Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.
 

Name and information link Released for Release date
Apple TV 6.0.2 Apple TV 2nd generation and later 21 Feb 2014
iOS 7.0.6 iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 21 Feb 2014
iOS 6.1.6 iPhone 3GS, iPod touch (4th generation) 21 Feb 2014

 

 

Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

from Avira – TechBlog http://bit.ly/1jsY5NC
via IFTTT


© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close