HackThisSite.org News: ALERT: Security Advisory - Apple SSL/TLS Man-in-Middle Attack


by: Kage, 03:02 am Monday February 24th, 2014

TL;DR

If your iPhone is running iOS 7.0.5 or earlier, you are vulnerable to an SSL/TLS Man-in-the-Middle attack and you should update your iPhone immediately. OS X is also vulnerable, but no update exists yet.

Not-so-TL;DR

On Friday, February 21st, 2014, Apple quietly released iOS patch 7.0.6, fixing a "SSL/TLS vulnerability" that was grossly overlooked. When the flaw was announced, many security experts aware of the details of the flaw had originally refused to even hint as to what the real attack was, for fear of setting loose a mass of possible attacks on as-yet-unpatched iPhones. The flaw has now been confirmed, resulting from an out-of-scope "goto" statement. Yes, apparently they still use "goto" statements at Apple.

You can test if you have the bug by loading this page on your iPhone. If this page says you are vulnerable to the SSL/TLS flaw, you should update your iPhone immediately.

It has also been confirmed this flaw is present on OS X. No OS X update is available yet.