Latest in Apple

Image credit:

Apple quietly issues iOS update to patch faulty SSL authentication (update 2: OS X patch coming)

Share
Tweet
Share

Sponsored Links

Is that an iPhone in your pocket? Then you'd better pull it out, dive into the settings menu and check for updates: there may be an important patch waiting for you. Apple has quietly pushed out iOS 7.0.6 and 6.1.6 -- small updates that addresses a hitherto unknown security issue with its mobile OS. According to the company's security notes, the previous versions of iOS was missing key SSL validation steps that kept Secure Transport from validating authentic connections, making it possible for "attackers with a privileged network position" to "capture or modify data in sessions protected by SSL/TLS." In other words, iOS devices were failing to protect themselves on shady networks, unbeknownst to the user. It's not clear if this security flaw was known outside of Cupertino, but it certainly is now. Lucky you, then, that Apple has already issued the fix. Well, what are you waiting for? Update your phone/tablet/Apple TV, already.

Update: Researchers have found evidence that OS X also has SSL validation issues. Security firm Crowdstrike analyzed the iOS updates, and say that both of Apple's platforms are/were vulnerable to man-in-the-middle attacks. It expects Apple will push a fix for OS X soon, but for now recommends avoiding shady WiFi hotspots and updating only on trusted networks -- good habits to practice any time. Adam Langley posted a segment of what appears to be the offending code, and tests show it affects OS X up through the most recent developer builds of Mavericks. We've contacted Apple regarding the claims, but have yet to receive a response.

Update 2: Apple tells us that it's aware of the OS X vulnerability, and that a patch will be available "very soon."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

FCC will require phone carriers to authenticate calls by June 2021

FCC will require phone carriers to authenticate calls by June 2021

View
SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

SpaceX aborts Falcon 9 launch with rare 'Liftoff! Disregard' sequence

View
Ubisoft offers free games to encourage you to stay at home

Ubisoft offers free games to encourage you to stay at home

View
Accidental cross-play makes Star Wars 'Jedi Academy' a console bloodbath

Accidental cross-play makes Star Wars 'Jedi Academy' a console bloodbath

View
NBA 2K tournament starts Friday with Kevin Durant, Trae Young and more

NBA 2K tournament starts Friday with Kevin Durant, Trae Young and more

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr