Software updates usually make our device strong against bug and vulnerability. The same things happened to Apple when the company released its IOS 7.0.6 version, which brings an SSL security patch to fill the SSL security gap for its previous software versions. This update provides a solution to man-in-middle attack on Apple devices.
Apple announced the new update for iPhone 4 and later, iPod touch (5th generation), iPad 2 and later device on their website.
What IOS 7.0.6 fixed:
However, an attacker with a privileged network could get or modify the data in SSL/TLS sessions. The vulnerability exposed is named “CVE-2014-1266“, which influenced both the IOS and OS X operating system. This vulnerability bypasses the verification process upon the initial handshake. Therefore, app could not verify the connection. As a result, it terminates the verification process. In other word, a hacker can perform Man-in-the-middle (MITM) attack in this situation. For that hacker must be on the same network, so with the help of same wireless network, the hacker can intercept communication between the website and the user.
SSL vulnerability shown in Different browsers:
The vulnerability affects in both IOS and OS X operating system. Adam Langley, a security engineer has made a test page to test the vulnerability in which Firefox, chrome, and safari browser works differently. In OS X operating system Firefox and chrome is working normally. In Firefox, it shows error of “Secure connection failed” while in Chrome browser it shows “The Webpage is not available” error. However, in safari browser it shows vulnerability while connecting to the server.
What experts say about this IOS Update?
- John Costello, Security Researcher at CrowdStrike said, “Software update mechanisms which download and execute code without cryptographically verifying signatures of the downloaded code may be exploitable. However, update mechanisms which correctly employ signature verification of downloaded contents are less likely to be exploitable by this vulnerability.’
- Encryption expert and security engineer Adam Langley said, “This sort of subtle bug deep in the code is a nightmare.”
- Apple declared on website “Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS”. “Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Recommendation from Experts:
Security experts alert users and recommend some measure against this SSL vulnerability.
- Update your Apple devices and systems immediately.
- Make sure you are password protected and on trusted Wi-Fi network.
- Update iPad and IPhone to the latest 7.0.6 and 6.1.6 version.
- If users have iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1, then it should be updated with the latest version to 7.0.6 and 6.1.6 version for iPad and IPhone because these old versions has been justified vulnerable.
- Google Chrome and Firefox remained unaffected with this vulnerability so users can surf with these browsers.
- The experts says that if users do not update their device then they may be victim of hackers’ malicious tricks as hackers could read confidential communication and create a man-in-middle attack.
- To check the browser in context of this vulnerability, user can check on this link.
Earlier Apple announced two step verification to give more strength to iCloud. SSL is a strong protocol that encrypts the communication between the user’s website and the communicating server. Certificate verification is vital for ensuring that the information is coming from the trusted source and such vulnerability can exposed millions of private communication. Therefore, it is advisable to update devices on regular intervals.
