Security Corner

Feb 23 2014   6:21PM GMT

Update your iOS to 7.06 on iPad and iPhone!

Ken Harthun Ken Harthun Profile: Ken Harthun

ios-706Apple has released a security update for iOS. (Use this URL: http://support.apple.com/kb/HT6147 for details.) Here’s what Apple says about it:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Basically, this means you are open to a man-in-the-middle (MITM) attack. Engineers at CrowdStrike (see this post) describe the vulnerability and the attack method.

To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

This has NOT been patched for OS X, which also has this vulnerability, so Mac users are still at risk until Apple issues a patch.

You can check gotofail.com to see if your device is vulnerable. I checked my MacBook Pro with both Safari and Google Chrome. Safari is vulnerable, Chrome is not, so I suggest you not use Safari on your Mac until after Apple issues the patch.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: