Major Apple security flaw: Patch issued, users open to MITM attacks

Major Apple security flaw: Patch issued, users open to MITM attacks

Summary: Apple rushed the release of iOS 7.0.6 on Friday with a patch for a shockingly overlooked SSL encryption issue that leaves iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack.

TOPICS: Security, Apple, Malware
(Image: CNET)

Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.

A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.

The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).

Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.

Unfortunately, Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod touch, or Mac computer is affected by the major, and somewhat shocking, flaw.

The vulnerability allows anyone with a certificate signed by a "trusted CA" to do a man-in-the-middle (MITM) attack.

A man-in-the-middle attack seamlessly intercepts communication — and more, like unencrypted passwords — between yourself and your intended recipient or website, and according to OWASP, "the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication."

A malicious entity could also impersonate a trusted website to install malware or steal valuable data, such as in September when Belgium's largest telecom provider Belgacom was hacked and exploited via fake LinkedIn and Slashdot pages.

iOS 7.0.6 and the new iOS 6.1.6 update "provide a fix for SSL connection verification."

The 7.0.6 update is for all devices that can run iOS 7, while the iOS 6.1.6 update is for the iPhone 3GS and fourth-generation iPod touch.

iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-2014-1266 (About the security content of iOS 7.0.6)

It is a very serious issue, and users of Apple tablets and phones are urged to update ASAP.

It's unknown how far back in iOS generations the flaw goes.

Older devices , such as the original iPhone, the 3G, the earlier iPod touch and the first generation iPad are in all likelihood out of luck for attention to the encryption hole.

There is speculation that this vulnerability, coupled with automatic updates over SSL, may have been one of the ways that the NSA could access "any iOS device" — a claim made in leaked Snowden-NSA documents, one that Apple vehemently denied.

Update 2/22: Adam Langley has excellent, further analysis in Apple's SSL/TLS bug (22 Feb 2014,

ZDNet has reached out to Apple for comment and will update this post if it responds.

Topics: Security, Apple, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It just works

    ... sometimes
    • Yes it does just work

      "...sometimes...", the device is working and Apple patched it the flaw. Sometimes security issues are not found for a long time, also it is not always the vendor that finds the issue often someone else hacking around in the OS. This is an ongoing process for all OS, be it Android, iOS, Linux, Mac, Symbian, Windows, and the like. They all have issues and they all fix them. Certainly nothing to be snide about.
      • Comment

        I think he's referring to the sometimes snide statements that Apple products are nearly impregnable and that iOS/Mac users do not need to be concerned about threats from hackers and malware.
        • I keep hoping..

          but it is a waste of time of course, the Apple fan boys will some day realize that Apple is no different than other operating systems, and definitely not invincible. I'll never forget the proselytizing and bragging about that from them for years - then the walls came tumbling down, but they still doggedly believe in invincibility! HA!
  • Doesnt Apply

    How does this effect Apple users when all the do is play games, fart apps, and waste time on their consumer devices? Seriously - what would a hacker possible want with some teen age girls Apple phone?
    Sean Foley
    • Which one to you suffer from?

      Narcissism, Machiavellianism, Psychopathy, or Sadism.

      What ever it is get some help.
    • Re: Doesn't Apply....

      SF perving at teenage girls again
    • Passwords

      It is trivial to use it to collect passwords to hijack accounts. At the very least it's great for spammers to have legit accounts they can send spam from.
    • On the flip side...

      Android is a virus, malware laden piece of dung and Windows 8 is such a laughable crap heap that I suggest we all get back to pencil and paper. I have enclosed this link for everyones enjoyment.
      • There aren't enough flags...

        to nullify the humor of my link, and I will not upgrade past Windows 7 either.
  • Apple fails again with the worst security practices in the industry

    Company has an app that only runs on iOS 6 but there is no update because Apple only provides update for iOS7. Seems the door has been wide open since day one.

    God what nincompoops!
    • Frankly, my dear, I don't give a damn

      [I've just virtual deleted your comment]
    • That's a pretty bad app

      IOS 7 is largely binary compatible with iOS should never have happened in the first place. Why don't they just update their own bad code?
      • Haven't we been through this with the Windows XP discussions?

        "Why don't they just update their own bad code?"

        Sometimes that's not an option. Or maybe people don't want to run iOs 7...for whatever reason. Why doesn't Apple just release a patch for previous versions of their operating systems?
        • Because they've never done that

          They aren't Microsoft, you were never promised when you bought the phone that would be their approach, and given their history, you had every reason to believe that, owning an Apple phone, the road to patching would be the road through OS updates.

          It isn't all that different over in the Ubuntu world. End of life comes hard and fast. In fact, it generally isn't an unusual approach at all, for many vendors.

          Yes, Microsoft does it, a market strategy that makes it a favourite of business. But it isn't now, has never been, and will never be Apple's strategy.

          Update your phone.
          • But

            in the Windows and Linux worlds, you can always upgrade to the newest version.

            Both my iPhone and iMac have been abandoned by Apple.
          • Sucks, doesn't it?

            And people whine because Microsoft is ending support for Windows XP........13 years after it was released. Meanwhile, Apple will be ending Mountain Lion support soon.

            MOUNTAIN. FRIGGIN'. LION!!
          • Recently it seems...

            Technology seems to have partnered with mediocrity. I will not praise any one operating system over another but rather than trumpet loss of support for Mountain Lion, let people know that any Mac capable of running it can just as easily run Mavericks, which will allow continued support for at least a while.
          • AND....

            Mavericks is free.
          • Oh wow more flags...

            Truth must really butthurt you MS Zealots.