Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.
According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
What does this mean?
When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted certificate authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many CAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.
What to do
You need to trigger an update of iOS.
If you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.
This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.
Other iOS Devices
Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.
|Name and information link||Released for||Release date|
|Apple TV 6.0.2||Apple TV 2nd generation and later||21 Feb 2014|
|iOS 7.0.6||iPhone 4 and later, iPod touch (5th generation), iPad 2 and later||21 Feb 2014|
|iOS 6.1.6||iPhone 3GS, iPod touch (4th generation)||21 Feb 2014|
Apple hasn’t fix the bug yet for MacOSX. Even though Avira can’t protect you against this issue, you should still install Avira Free Mac Security (if you haven’t done this yet).