Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Dangerous SSL Authentication Flaw In iOS

Posted by timothy on from the are-you-telling-us-the-whole-story? dept.

wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."

3 of 101 comments (clear)

  1. Re:How about OS X? by Anonymous Coward · · Score: 0, Funny

    ... 10.9.2, which is in beta ...

    And we all know how much we love beta...

  2. Re:goto fail by arglebargle_xiv · · Score: 1, Funny

    Yeah, you'd think a compiler should have caught that.. but neither GCC or Xcode seems to do that.

    Visual Studio will detect and complain about this. So all Apple would need to do is switch to Microsoft Vis.... oh. Damn.

  3. Re:And thus is it delivered to all supported devic by Anonymous+Brave+Guy · · Score: 3, Funny

    Unfortunately, Apple seem to have abandoned iOS 5 support already.

    iOS 6 isn't even 18 months old yet and was their Windows Vista, so a lot of people didn't upgrade. iOS 7 isn't even 6 months old, had security problems of its own at launch, and runs like a limping dog on some very popular devices still in widespread use, so a lot of people didn't upgrade to that either.

    The vulnerability here was caused by a rookie error that could easily have been found and fixed by following any one of several best practices in their software development process, and for something security-related they should have been following all of them.

    This is a very poor show from Apple on all counts. :-(

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.