Apple patches a dangerous SSL bug in iOS

Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.

According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

What does this mean?

When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many TAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.


What to do

You need to trigger an update of iOS.

If  you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.



This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.




Other iOS Devices

Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.

Name and information link Released for Release date
Apple TV 6.0.2 Apple TV 2nd generation and later 21 Feb 2014
iOS 7.0.6 iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 21 Feb 2014
iOS 6.1.6 iPhone 3GS, iPod touch (4th generation) 21 Feb 2014



Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

from Avira – TechBlog

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: