If you have an iOS device, Apple has an important security patch waiting for you. Yesterday, Apple released iOS 7.0.6, which aims to provide a fix for SSL connection verification issues.
According to the company’s security notes, the previous version of iOS was missing important secure socket layers (SSL) verification steps. The major security flaw allowed hackers to intercept email and communications that are supposed to be encrypted.
Assuming the attacker had access to the same network as the mobile or desktop user, they could view and change any traffic between the user and any protected website, like Facebook or Gmail.
Matthew Green, a cryptography professor at Johns Hopkins University, said:
“It’s as bad as you could imagine, that’s all I can say. Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site.”
Apple has not said when it learned about the flaw, nor did it mention if the flaw was being exploited.
Dmitri Alperovich, chief technology officer at security firm CrowdStrike, discovered that OS X also has SSL validation issues, leaving Apple’s laptop/desktop operating system at risk. According to analysis done by Crowdstrike, iOS was and OS X still is vulnerable to man-in-the-middle attacks. Apple has not yet released a patch for their Mac operating system, but one is expected soon.
For now, the company suggests avoiding free Wi-Fi hotspots and using only trusted networks, like your home or office Wi-Fi.
In two days we have seen two companies affected by an implementation error involving SSL encryption. Yesterday, security researchers found a weakness in WhatsApp’s implementation of SSL.