Apple patches a dangerous SSL bug in iOS

Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.

According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
 

What does this mean?

When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many TAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.

 

What to do

You need to trigger an update of iOS.

If  you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.

ios-update2

 

This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.

ios-update

 

 

Other iOS Devices

Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.
 

Name and information link Released for Release date
Apple TV 6.0.2 Apple TV 2nd generation and later 21 Feb 2014
iOS 7.0.6 iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 21 Feb 2014
iOS 6.1.6 iPhone 3GS, iPod touch (4th generation) 21 Feb 2014

 

 

Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

from Avira – TechBlog http://bit.ly/1jsY5NC
via IFTTT


© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch