24 Feb 2014

Apple Patches Security Flaw for iPhones, Leaves Devices Vulnerable

Apple released a software patch for iOS 7, revealing an SSL vulnerability which also exposes other Apple devices to man-in-the-middle (MITM) attacks, according to zdnet.com.

The software "failed to validate the authenticity of the connection," Apple said.

An update was issued for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later. However, the same SSL encryption flaw affects Apple laptops and desktop computers running Mac OSX.  

Apple has not announced patches for these devices, so user credentials can be intercepted by anyone appearing to own a trusted certificate (used to make secure connections to a server over the Internet) through a man-in-the-middle attack, a form of active eavesdropping in which the attacker intercepts the unencrypted communication between the sender and a website, like Facebook or Google, for example.

“The vulnerability resides in the Secure Transport implementation which fails to provide hostname verification. This means that any digital certificate would validate for any number of websites as long as it is valid, thus leaving the user open to a man-in-the middle attack scenario,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender. “Apparently, the bug is caused by a duplicate Goto instruction that hijacks logic in the SSLVerifySignedServerKeyExchange function.”

Apple has not released a statement on when to expect this patch, and what versions of iPhone, iPad, iPod touch, or Macs are affected by the security flaw.