Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.
A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.
The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).
Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.
Unfortunately, Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod touch, or Mac computer is affected by the major, and somewhat shocking, flaw.
The vulnerability allows anyone with a certificate signed by a "trusted CA" to do a man-in-the-middle (MITM) attack.
A man-in-the-middle attack seamlessly intercepts communication — and more, like unencrypted passwords — between yourself and your intended recipient or website, and according to OWASP, "the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication."
A malicious entity could also impersonate a trusted website to install malware or steal valuable data, such as in September when Belgium's largest telecom provider Belgacom was hacked and exploited via fake LinkedIn and Slashdot pages.
TL;DR -- Apple used raw OpenSSL for HTTPS, but didn't include hostname verification. https://t.co/XTdipT8VyP
— Will Sargent (@will_sargent) February 21, 2014
iOS 7.0.6 and the new iOS 6.1.6 update "provide a fix for SSL connection verification."
The 7.0.6 update is for all devices that can run iOS 7, while the iOS 6.1.6 update is for the iPhone 3GS and fourth-generation iPod touch.
iOS 7.0.6
Data SecurityAvailable for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
CVE-2014-1266 (About the security content of iOS 7.0.6)
It is a very serious issue, and users of Apple tablets and phones are urged to update ASAP.
It's unknown how far back in iOS generations the flaw goes.
So goto fail was added before October 2013. It is in 10.9 but not 10.8.5; and it is in iOS 6.1 and iOS7...Ouch. Long time to not support SSL
— the grugq (@thegrugq) February 22, 2014
Older devices , such as the original iPhone, the 3G, the earlier iPod touch and the first generation iPad are in all likelihood out of luck for attention to the encryption hole.
I'm not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
There is speculation that this vulnerability, coupled with automatic updates over SSL, may have been one of the ways that the NSA could access "any iOS device" — a claim made in leaked Snowden-NSA documents, one that Apple vehemently denied.
Today's show was brought to you by Apple, SecureTransport, and the letters SSL. Oh wait, the letters SSL didn't actually do anything.
— Dino A. Dai Zovi (@dinodaizovi) February 22, 2014
Update 2/22: Adam Langley has excellent, further analysis in Apple's SSL/TLS bug (22 Feb 2014, imperialviolet.org).
ZDNet has reached out to Apple for comment and will update this post if it responds.