Apple Inc. has released a new version of its iOS mobile device operating system to address a flaw that could enable...
attackers to intercept and manipulate encrypted network data.
Late Friday, the Cupertino, Calif.-based vendor released iOS 7.0.6 for iPhone 4, later fifth-generation iPod touch devices, and iPad version 2 and later. According to Apple, until the patch is installed, an attacker with a privileged network position may be able to capture or modify data in SSL/TLS sessions.
The SANS Internet Storm Center (ISC) noted that the bug makes SSL/TLS sessions vulnerable to man-in-the-middle attacks.
"This bug makes SSL worthless if an attacker is on the same network as you," said Rich Mogull, CEO and analyst with research firm Securosis LLC, in a blog post Saturday. "If you are in an enterprise, either push the update with MDM as soon as possible, or email employees to self-update all their devices."
However, security researcher Adam Langley confirmed over the weekend that OS X is also vulnerable, up to and including version 10.9.1, released in December. An OS X patch has not been released as of Sunday night, but SANS ISC reported that Apple has confirmed the issue in OS X and that a patch is "coming soon."
Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted.
Mogull noted that it is unusual for Apple to issue a one-off, out-of-band patch, speculating that it may be an indicator that the flaw was about to be publicly disclosed or that it is being actively exploited in the wild.
Dig Deeper on Alternative OS security: Mac, Linux, Unix, etc.