Major SSL flaw found in iOS, OS X

Apple has released a patch for iOS and says an OS X fix will be released 'very soon'

Security researchers revealed late Friday that iOS's validation of SSL encryption had a coding error that bypassed a key validation step in the Web protocol for secure communications. As a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.

Apple released a patch Friday evening, available to al iOS users. iOS users should have already received a notification of the update's availability or have had it automatically installed, depending on their device's iOS version, update settings, and available space for downloading the update.

[ It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

But on Saturday, several researchers reported that the flaw also affected OS X 10.9 Mavericks and perhaps other OS X versions. Late Saturday, Apple said it had a fix ready for OS X and would release it "very soon." On OS X, the flaw is likewise limited to SSL connections over unsecured Wi-Fi networks, though only in Safari.

The update will be available through OS X's Software Update utility, which is set to download security updates automatically by default in recent OS X versions.

iOS uses the WebKit-based Safari engine even in non-Safari browsers, so all iOS browsers can be exploited. By contrast, OS X lets each browser use it's own browser engine. A Google security researcher said Chrome does not have the coding flaw; other researchers have said that Mozilla Firefox is likewise safe.

This article, "Major SSL flaw found in iOS, OS X," was originally published at InfoWorld.com. Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackingAppleiosoperating systemssoftwareapplicationsMac OS Xintrusionmobile technologyweb browsersapplication securityAccess control and authentication

More about AppleGoogleMozilla

Show Comments
[]