Apple's latest 35.4 MB update of iOS 7.0.6 doesn't seem important at first, but it contains a critical security patch that addresses a flaw with SSL encryption.
Yes, a very critical security vulnerability that could allow hackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computer.
Apple provides very little information when disclosing security issues, 'For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.' said in the security advisory.
Cryptography experts immediately tried to figure out what was wrong with Apple's implementation of Secure Sockets Layer (SSL) and the details are:
Impact: The vulnerability assigned CVE-2014-1266 and affects both the iOS and OS X operating systems, describes as 'Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.' in other words, anyone with a certificate signed by a "trusted CA" can perform Man-in-the-middle (MITM) attack.
So, If an attacker has access to a mobile user's network, such as both are sharing same wireless service, the hacker could intercept communication between the user and protected sites such as Gmail and Facebook.
More Technical details are available here.
More Technical details are available here.
Practically: Apple did not say when or how it learned about the weakness nor did it say whether the flaw was being exploited. But using such flaw NSA like agencies can hack all your passwords and messages, as they did with Belgium's largest telecom provider Belgacom employees by spoofing LinkedIn and Slashdot pages to hack them.
The fundamental flaw resides in the Apple's SSL implementation, by exploiting that an attacker can bypass SSL/TLS verification routines upon the initial connection handshake to perform full interception of encrypted traffic between you and the destination server.
'Software update mechanisms which download and execute code without cryptographically verifying signatures of the downloaded code may be exploitable. However, update mechanisms which correctly employ signature verification of downloaded contents are less likely to be exploitable by this vulnerability.' John Costello, Security Researcher at CrowdStrike said in a blog post.
Security Patch: The Company has also released an Apple TV update and iOS 6.1.6 today to address the same issue. Update your Apple devices and systems as soon as possible to the latest available versions.
To Check, whether your web browser (especially Apple's Safari) is vulnerable to SSL flaw, Click here.
To Check, whether your web browser (especially Apple's Safari) is vulnerable to SSL flaw, Click here.
To update your iOS device, first make sure you're on a trusted, password-protected home or office Wi-Fi network. If you're running iOS 7, you'll be prompted to install iOS 7.0.6; if iOS 6, it'll be iOS 6.1.3. TapDownload and Install it.
No comments:
Post a Comment