Apple Inc. has released a new version of its iOS mobile device operating system to address a flaw that could enable attackers to intercept and manipulate encrypted network data.
Late Friday, the Cupertino, Calif.-based vendor released iOS 7.0.6 for iPhone 4, later fifth-generation iPod touch devices, and iPad version 2 and later. According to Apple, until the patch is installed, an attacker with a privileged network position may be able to capture or modify data in SSL/TLS sessions.
The SANS Internet Storm Center (ISC) noted that the bug makes SSL/TLS sessions vulnerable to man-in-the-middle attacks.
"This bug makes SSL worthless if an attacker is on the same network as you," said Rich Mogull, CEO and analyst with research firm Securosis LLC, in a blog post Saturday. "If you are in an enterprise, either push the update with MDM as soon as possible, or email employees to self-update all their devices."
However, security researcher Adam Langley confirmed over the weekend that OS X is also vulnerable, up to and including version 10.9.1, released in December. An OS X patch has not been released as of Sunday night, but SANS ISC reported that Apple has confirmed the issue in OS X and that a patch is "coming soon."
Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted.
Mogull noted that it is unusual for Apple to issue a one-off, out-of-band patch, speculating that it may be an indicator that the flaw was about to be publicly disclosed or that it is being actively exploited in the wild.