On Friday, Apple announced the release a software update for its iOS mobile operating system that addresses a critical encryption flaw. A similar update has also been released for Apple TV.
Apparently, there were a few missing validation steps that made the SSL implementation vulnerable and would allow an attacker with a privileged network position to intercept and/or modify data in sessions protected by SSL/TLS – in effect, to mount a Man-in-the-Middle attack.
iPhone and iPad users are advised to update to versions 7.0.6 or 6.16 of the OS as soon as possible, and OS X users are urged to avoid using public networks until the same fix is released for the OS.
According to various sources, Apple’s Safari browser and default Mail.app are both vulnerable, but Firefox and Chrome are not affected, so Mac users could temporarily switch to using those.
Apple has promised to release the OS X fix “soon.”
Researchers who have tested earlier versions of both iOS and OS X have concluded that the bug was present for months.
Google security researcher Adam Langley has explained how the flaw works and where the mistake happened in the source code.
The simplicity of the flaw and the fact that it could allow anyone – and especially intelligence agencies – to exploit it for spying on users gave rise to speculation that it’s existence could have been intentional. The other alternative is that Apple has a poor code review process in place.
The issue also made people criticize Apple’s preference for proprietary closed source. They argued that such a glaring mistake could have been spotted ages ago if more security researchers had the possibility to review the code.