«
»

I’m usually kinda lax on installing OS updates, but I just came across the iOS 7.0.6 announcement. It’s pretty scary:

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Apparently this allowed a certain category of attackers (“with a privileged network position,” so not just anybody) to see or modify data ostensibly protected by SSL. How could the session not be properly validated?

I don’t see many details online yet (look at the CVE site later) but now that a patch is available there will presumably be more discussion soon.

In the meantime, I’d be making with the updating…

Just found this, some mostly unnamed researchers have looked at the patch and determined OS X has the same problem. Ouch.

Apple security flaw could allow hackers to beat encryption

Update the Second: Well isn’t this interesting…

Apple’s SSL/TLS bug

The issue is a programming error, one that circumvented a necessary verification condition with an errant line of code. Every single programmer ever has made this error at some point, sometimes after an embarrassingly large number of years of professional work.

The hard part is making sure something or someone in your process catches it before it ships, because even the best programmers get tired and miss something. And that is a subject for an entirely different blog.

This entry was posted on 21 February 2014 at 4:11 am and is filed under Everyday Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply