If you use an iPhone, you might want to quickly get into the the settings menu and check for updates: there may be an important patch waiting for you. Apple has quietly pushed out iOS 7.0.6 and 6.1.6 — small updates that addresses a hitherto unknown security issue with its mobile OS. According to the company’s security notes, the previous versions of iOS was missing key SSL validation steps that kept Secure Transport from validating authentic connections, making it possible for “attackers with a privileged network position” to “capture or modify data in sessions protected by SSL/TLS.”
In other words, iOS devices were failing to protect themselves on shady networks, unbeknownst to the user. It’s not clear if this security flaw was known outside of Cupertino, but it certainly is now. Lucky you, then, that Apple has already issued the fix. Well, what are you waiting for? Update your phone/tablet/Apple TV, now!
Many news reports suggest that researchers have also found evidence that OS X also has SSL validation issues.
Confirmed OSX SSL weirdness: 10.9.1 doesn't validate certs properly whereas Linux does (ht @NCWeaver) pic.twitter.com/KrdWOXOLIO
— ashkan soltani (@ashk4n) February 22, 2014
Security firm Crowdstrike analyzed the iOS updates, and say they’ve found evidence both of Apple’s platforms were vulnerable to man-in-the-middle attacks. They expect Apple will push a fix for OS X soon, but for now recommend avoiding shady WiFi hotspots and updating only on trusted networks – good habits to practice any time.