Apple Releases iOS 7.0.6 to Fix Flaw That Fails to Check Authenticity in Web Communications

Apple rushed the release of iOS 7.0.6 Friday with a patch to attempt to fix a disgracefully overlooked SSL encryption issue that leaves Apple iPhone, iPad and Mac computer users (using Mac OS X 10.9.1) open to a man-in-the-middle (MITM) attack. Apparently, the Apple iOS does not check to make sure that the “common name” record in the SSL certificate sent by the server matches the hostname used to connect to the server’s IP address, thereby allowing a man-in-the-middle attack to defraud the system.

A man-in-the-middle attack seamlessly intercepts communication, such as unencrypted passwords — between yourself and your intended recipient or website, and according to Open Web Application Security Project (OWASP), “the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.”

SSL and TLS are used worldwide to prevent eavesdroppers from snooping on network traffic while communicating with sensitive services, such as banking and shopping websites and email servers. SSL and TLS only works if the other end of the connection can be verified and trusted. Security experts always instruct users to make sure the sensitive service always presents the https instead of http in the web address. With the middle man intercepting traffic, https is meaningless.

The vulnerability allows anyone with a certificate signed by a “trusted CA” to do a man-in-the-middle (MITM) attack.

A new version of Apple’s iOS for its tablets and phones was rushed out the door Friday to patch a vulnerability with its mobile, tablet and desktop software, which is not doing SSL/TLS hostname checking. The communications meant to be encrypted, is NOT encrypted.

The patch has only been issued for the more recent iPhones (iPhone 4 and later), iPod touch (5th generation) and iPad (2).

Unfortunately, the official Apple.com website front page does not warn users of this serious security flaw, and Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod Touch or Mac computer is affected by the major flaw. Apple’s security page does not offer a simple step plan for user. It is mostly loaded with confusing technical information and disclaimers about security notifications, security disclosures, and third-party. And to make matters worse, Apple’s security announcement list (http://rss.lists.apple.com/security-announce.rss) linked from its main security page “Apple Product Security” (https://ssl.apple.com/support/security/) is NOT updated. The latest listing on Saturday, February 22, 2014 at 9:20 a.m. is dated November 14, 2013.

Apple Mailing List

APPLE-SA-2013-11-14-1 iOS 7.0.4

Subject: APPLE-SA-2013-11-14-1 iOS 7.0.4
From: Apple Product Security
Date: Thu, 14 Nov 2013 10:45:29 -0800

Security researchers across several communities believe that Mac computers with OS X Mavericks, released October 22, 2013 are even more at risk, as they are currently left operating without a patch. The security flaw involves a different issue, which is also present in the iOS version, but apparently has not been addressed, yet.

BOTTOM LINE: WHAT TO DO …
Update your Apple devices and systems as soon as possible to the latest available versions, unless you’re using a Mac OS X system before Maverick (10.9.1).

DO NOT use untrusted networks (especially Wi-Fi) while traveling or in public Wi-Fi network.

Update the patch, make purchases, or perform other sensitive operations only while operating in a trusted network,

To be extra safe, and definitely while operating unpatched mobile devices; TURN OFF the “Ask to Join Networks” setting.

Past Security Flaws with iOS

Embarrassingly thieves could turn off “Find My iPhone” by turning on Airplane Mode.

In September 2013 Apple released a fix that prevented offenders from using a sequence of actions that could defeat the Lock screen passcode.

An offender could cause an iOS7 iPhone to restart if the emergency call button was tapped repeatedly, and eventually dial regular non-emergency numbers. While the lock screen was restarting, the call dialer displayed and allowed non-emergency numbers to be dialed.

Get updates from The Cardinal ALL NEWS FEEDS on Facebook. Just ‘LIKE’ the ‘Arlington Cardinal Page (become a fan of our page). The updates cover all posts and sub-category posts from The Cardinal — Arlingtoncardinal.com. You can also limit feeds to specific categories. See all of The Cardinal Facebook fan pages at Arlingtoncardinal.com/about/facebook …