Apple hit by serious SSL security flaw
February 24, 2014 | 11:21
Apple's iOS and OS X operating systems have been hit by a serious - yet incredibly simple - flaw in their encryption system, leaving users open to attack on connections which should be secure and trusted.
Both Apple's iOS and OS X software packages, for its mobile and mainstream devices respectively, provide an encryption subsystem for developers to call when making use of SSL or TLS encrypted network connections. The subsystem is used by everything from the Safari browser and the operating system's built-in software update tool to Twitter and the Calendar application - but it has a serious flaw.
A simple coding error, repeating a line twice in the software's source code, skips over a step of the authentication process designed to ensure that the certificate used to encrypt a connection is from the target system and not a third-party - preventing man-in-the-middle attacks, where a fake connection with a fake certificate is used to capture and decrypt supposedly secure traffic.
It's a major flaw, and one that can expose usernames, passwords, and even allow an attacker to pose as Apple's own update server to have the operating system install malware. Worse, it's being actively attacked with security researchers pointing to in-the-wild exploits targeting Apple's user base.
The flaw came to light when Apple released an update for iOS 6 and iOS 7, dubbed iOS 6.1.6 and iOS 7.0.6 respectively. This update resolves the problem on affected iPhone, iPad, iPod Touch and Apple TV products, but the same flaw is shared in the desktop and laptop OS X operating system which has yet to receive an update.
The advice, for now, is to be extremely careful when using untrusted connections - in particular public Wi-Fi hotspots - and to switch from Safari to a third-party browser which uses its own authentication mechanism, such as Mozilla's Firefox or Google's Chrome.