Major SSL flaw found in iOS, OS X
Apple has released a patch for iOS and says an OS X fix will be released ‘very soon’
Security researchers revealed late Friday that iOS’s validation of SSL encryption had a coding error that bypassed a key validation step in the Web protocol for secure communications. As a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.
Apple released a patch Friday evening, available to al iOS users. iOS users should have already received a notification of the update’s availability or have had it automatically installed, depending on their device’s iOS version, update settings, and available space for downloading the update.
[ It’s time to rethink security. Two former CIOs show you how to rething your security strategy for today’s world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]
But on Saturday, several researchers reported that the flaw also affected OS X 10.9 Mavericks and perhaps other OS X versions. Late Saturday, Apple said it had a fix ready for OS X and would release it “very soon.” On OS X, the flaw is likewise limited to SSL connections over unsecured Wi-Fi networks, though only in Safari.
The update will be available through OS X’s Software Update utility, which is set to download security updates automatically by default in recent OS X versions.
iOS uses the WebKit-based Safari engine even in non-Safari browsers, so all iOS browsers can be exploited. By contrast, OS X lets each browser use it’s own browser engine. A Google security researcher said Chrome does not have the coding flaw; other researchers have said that Mozilla Firefox is likewise safe.
Comments are closed.