Software flaw puts iDevice encryption at risk; Apple rolls out fix with iOS 7.0.6
Apple, in an announcement on Friday, reported a major software flaw in mobile devices that could blow apart the integrity of encrypted connections and could allow hackers to intercept email and other communications. Apple has released iOS 7.0.6 that patches the vulnerability.
Experts claimed that an attacker within the same network as the victim can view capture or modify data in sessions protected by SSL/TLS between the user and protected sites such as Gmail and Facebook, if they successfully manage to place themselves in the middle of victim and the server.
This occurs when the secure transfer component of the operating system fails to verify the certificate of the system to which a vulnerable iDevice was connected.
Mathew Green, cryptography professor in Johns Hopkins University said “It’s as bad as you could imagine, that’s all I can say.”
Apple hasn’t revealed anything about when and how it discovered the flaw, but a statement on its support page claimed the software to have “failed to validate the authenticity of the connection.”
Apple has rolled out the latest update for its OS along with software patches that fixes this important encryption vulnerability. The company said the software fix restores steps that were missing in the validation process and would stop a hacker from gaining access to capture or modify data.
Security researchers and experts, after analyzing the patch have reported the existence of same flaw in current versions of Mac OS X 10.9.1 running on Apple laptop and desktop computers. The company is soon expected to release a patch for Mac OS X too.
The report suggests clearly that this flaw could have brought enterprising hackers a great success if they were aware of it.
It is recommended that users upgrade to iOS 7.0.6 as soon as possible.