This Friday, Apple revealed a major security glitch in Apple’s iOS devices, relatated to SSL implementation. Later analysts looked into it only to find that OS X and Apple TV are also affected and that it is an easily exploitable yet a seriously injurious one.
I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
The bug seems to result in failed validation of SSL certification of sites. And for users that would mean, many data which are supposed to be secure are being transferred un-encrypted. Though domain access seems to be protected, direct SSL connections to IP addresses was found to be exploitable. So a hacker’s access to data used through Safari is unlikely, but to that through apps is possible as most of them communicates directly with their servers. And that is why Apple TV apps can also be affected.
Apple describes the vulnerability as follows:
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
You can read more on the bug here.
But no worries, Apple is quick to seal the bleed and released new software updates for the affected devices. 7.0.6 for iOS devices, 6.1.6 for older iOS devices and 6.0.2 for Apple TV 2 and 3 are now available. You can goto Settings > General > Software update to check for and install the new firmware.
However OS X bug is still unrepaired, during the time of writing. You can quickly browse to gotofail.com to find out if any of your device is vulnerable. If yes, I recommend you guys to update immediately. Else any hacker could pose as a secure site and pull you data.
Now, though things have settled a bit for users, they are far from over for Apple. It is still uncertain as to when the bug was introduced (surely before iOS 6) and whether anybody has already been victim to unauthorized access. Many developers have explained on their blogs as to how the bug works and how it could be exploited and this could pose a great threat to those who haven’t patched it yet.
On the other hand, some are accusing this to be an intentional backdoor for NSA access while others are wondering if there are more such simple, unnoticed security breach roads. Only time will tell if Apple will shine above these dark clouds or get buried in lawsuits.