Apple patches a dangerous SSL bug in iOS

Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.

According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

What does this mean?

When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted certificate authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many CAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.

 

What to do

You need to trigger an update of iOS.

If  you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.

ios-update2

 

This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.

ios-update

 

 

Other iOS Devices

Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.

Name and information link Released for Release date
Apple TV 6.0.2 Apple TV 2nd generation and later 21 Feb 2014
iOS 7.0.6 iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 21 Feb 2014
iOS 6.1.6 iPhone 3GS, iPod touch (4th generation) 21 Feb 2014

 

Apple hasn’t fix the bug yet for MacOSX. Even though Avira can’t protect you against this issue, you should still install Avira Free Mac Security (if you haven’t done this yet).

 

Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.