Apple (NASDAQ:AAPL) has acknowledged a major security flaw in its mobile iOS operating system software that could allow hackers to view or alter communication data on unsecured wireless networks, reports Engadget. Apple has already issued two updates – iOS 7.0.6 and iOS 6.1.6 — to address the security vulnerability. Per Apple, the iOS 7.0.6 patch repairs the security hole for iPhone 4 and later, iPod touch (fifth generation), and iPad 2 and later. The iOS 6.1.6 patch is available for the iPhone 3GS and the fourth-generation iPod touch.
“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” noted Apple on its support page for the security patch. “Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Unfortunately, the security flaw appears to extend beyond Apple’s mobile devices. According to security firm Crowdstrike, a similar security flaw is also present in Apple’s OS X operating system. Apple has yet to issue a security patch for OS X, although one is expected soon.
As noted by Crowdstrike, an attacker must stage a “man-in-the-middle” attack via an unsecured network in order to exploit the security flaw. “Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake,” stated Crowdstrike on its company blog. “This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
For this reason, Crowdstrike recommends that Apple users avoid using public Wi-Fi connections or other untrusted networks until all of their mobile devices have been updated. For devices that have not yet been updated, the security firm recommends changing the “Ask to Join Networks” setting to “off.” This will prevent users’ devices from attempting to join networks that may be unsecured.
Although Apple has provided a security patch for mobile devices, the Cupertino-based company did not reveal if the vulnerability had been widely exploited or when the company first learned about it. “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” stated Apple on its support page.
Apple’s latest software security problem follows a recent revelation that the NSA has the ability to access almost all of the data found on iPhones via a software implant. The security exploit was uncovered from leaked information provided by former NSA contractor Edward Snowden and presented at the Chaos Communications Congress in Germany last December.
Follow Nathanael on Twitter (@ArnoldEtan_WSCS)