Widespread Apple Device Vulnerability Exposed
Apple Security Update!
Apple has revealed a very serious flaw in the way its iOS devices (iPods, iPads, iPhones) handle secure connections, specifically when your device is connecting to a server via SSL (“https://”) or TLS connections. This vulnerability, just revealed and patched by Apple last Friday, allows for an attacker to create a “man in the middle” situation to simulate that your device is connecting to a particular site when in fact you are not.
According to security reporting site Arstecnica, “At this early stage, the vulnerability has been confirmed in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1, meaning it has silently exposed the sensitive communications of millions of people for weeks or months. Security researchers haven’t ruled out the possibility that earlier versions are also affected. Readers should immediately update their iPhones and iPads to versions 7.0.6 or 6.1.6, preferably using a non-public network.”
The flaw affects SSL and TLS connections. Supposedly, Chrome and Firefox browsers are not affected by this flaw, but Google security engineer Adam Langley has set up a test page to validate whether your browser is vulnerable (we have verified that it is not malicious). If your browser takes you to that page without an error, your browser is vulnerable. (Keep in mind some corporate firewalls may not allow this connection through either because it uses a nonstandard TCP port number.)
If your device is vulnerable, avoid using public WiFi and update your device as soon as possible.