iOS 7.0.6 released with important SSL security fix

Your rating: None (2 votes)

Apple today released iOS 7.0.6 with an important security fix:

Quote:

iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID

CVE-2014-1266

Available, as always, via Software Update. Direct download links for each build are in our database of iOS Devices.

Share your ideas

jasonh's picture

jasonh

Joined: Oct 8, 2013
WWW

The why, the how and perhaps the who?

Your rating: None

The why?

N.B. This applies to iOS 6 devices as well as iOS 7. A new patch is available for either OS. (One is also available for Apple TV and I expect one soon for Mac OS/X, all affected by the same bug)

An attacker with a privileged network position may capture or modify data protected by SSL/TLS. Secure Transport failed to validate the authenticity of the connection.

Apple has released security patches for iOS 7 and iOS 6.

More information here:
http://support.apple.com/kb/HT6147 (iOS 7)
http://support.apple.com/kb/HT6146 (iOS 6)

The how?

Looks like an editing or programming error. More information here:

https://www.imperialviolet.org/2014/02/22/applebug.html

Possibly the who?

On the Timing of iOS’s SSL Vulnerability and Apple’s ‘Addition’ to the NSA’s PRISM Program

http://daringfireball.net/2014/02/apple_prism

It looks likely that this bug was found and exploited in field by the NSA. These patches should close that loophole.

Jason Holloway | Bridgeway Security Solutions Ltd | +44 (0)1223 97 90 90

www.bridgeway.co.uk

Top

Recent Activity