News

Apple issues critical iOS SSL patch; OS X still vulnerable

SearchSecurity Staff

Apple Inc. has released a new version of its iOS mobile device operating system to address a flaw that could enable attackers to intercept and manipulate encrypted network data.

Late Friday, the Cupertino, Calif.-based vendor released iOS 7.0.6

    Requires Free Membership to View

for iPhone 4, later fifth-generation iPod touch devices, and iPad version 2 and later. According to Apple, until the patch is installed, an attacker with a privileged network position may be able to capture or modify data in SSL/TLS sessions.

The SANS Internet Storm Center (ISC) noted that the bug makes SSL/TLS sessions vulnerable to man-in-the-middle attacks.

"This bug makes SSL worthless if an attacker is on the same network as you," said Rich Mogull, CEO and analyst with research firm Securosis LLC, in a blog post Saturday. "If you are in an enterprise, either push the update with MDM as soon as possible, or email employees to self-update all their devices."

However, security researcher Adam Langley confirmed over the weekend that OS X is also vulnerable, up to and including version 10.9.1, released in December. An OS X patch has not been released as of Sunday night, but SANS ISC reported that Apple has confirmed the issue in OS X and that a patch is "coming soon."

Until an OS X patch becomes available, experts say enterprises should encourage users to avoid using OS X devices on public networks or other networks where communications are likely to be intercepted.

Mogull noted that it is unusual for Apple to issue a one-off, out-of-band patch, speculating that it may be an indicator that the flaw was about to be publicly disclosed or that it is being actively exploited in the wild.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: