iOS 7 Patched, Other Devices at Risk

Monday, February 24, 2014 @ 04:02 PM gHale


A patch for Apple’s iOS 7 fixes an SSL vulnerability, but also exposes other devices to man-in-the-middle (MitM) attacks, researchers said.

The software “failed to validate the authenticity of the connection,” Apple said.

RELATED STORIES
Apps Lack of Security
Apple iOS Hijacking Bug
Attackers Take Control: iOS 7 Bug
Apple’s iOS 7 Clears 80 Bugs

An update released for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later. However, the same SSL encryption flaw affects Apple laptops and desktop computers running Mac OSX.

Apple did not yet release patches for these devices, so user credentials can end up intercepted by anyone appearing to own a trusted certificate (used to make secure connections to a server over the Internet) through a man-in-the-middle attack, a form of active eavesdropping in which the attacker intercepts the unencrypted communication between the sender and a website, like Facebook or Google, for example.

“The vulnerability resides in the Secure Transport implementation which fails to provide hostname verification. This means any digital certificate would validate for any number of websites as long as it is valid, thus leaving the user open to a man-in-the middle attack scenario,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender. “Apparently, the bug is caused by a duplicate Goto instruction that hijacks logic in the SSLVerifySignedServerKeyExchange function.”



Leave a Reply

You must be logged in to post a comment.