On Friday Apple released an iOS update for iPhones and iPad. iOS 7.0.6 and 6.1.6 were targeted as security fixes and as those who investigate these things have discovered they plugged a pretty serious hole. So much so that warnings of “install the patch now” should not be ignored.
The bug could could allow hackers to intercept email and other communications that are meant to be encrypted, according to a Reuters report which was issued late on Friday night.
The bug makes it fairly straightforward to intercept and decrypt SSL/TLS communications, probably the most important security protocol there is today. Any time you see Apple (or really any major vendor) release an update that fixes a single bug, you can be sure it’s a high-priority bug. And there’s no reason to believe that it’s higher-priority for iOS users than for Mac users. So why did they not fix OS X at the same time? Because OS X isn’t top priority anymore.
At this early stage, the vulnerability has been confirmed in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1, meaning it has silently exposed the sensitive communications of millions of people for weeks or months. Security researchers haven’t ruled out the possibility that earlier versions are also affected. Readers should immediately update their iPhones and iPads to versions 7.0.6 or 6.1.6, preferably using a non-public network.
Apple also released an Apple TV update and iOS 6.1.6 today to address the same issue. You can find the iOS updates in iTunes or in the device’s settings pane. The Apple TV update can be found under Settings > General > Update Software.
Apple representatives, meanwhile, have yet to issue any public statements beyond the vague but spooky two sentences contained in Friday’s advisory. They read:
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above):
“Since this is in SecureTransport, it affects iOS from some point prior to 7.0.6 (I confirmed on 7.0.4) and also OS X (confirmed on 10.9.1). It affects anything that uses SecureTransport, which is most software on those platforms although not Chrome and Firefox, which both use NSS for SSL/TLS. However, that doesn’t mean very much if, say, the software update systems on your machine might be using SecureTransport….
I coded up a very quick test site at https://www.imperialviolet.org:1266. Note the port number (which is the CVE number), the normal site is running on port 443 and that isexpected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.”