iOS 7.0.6, iOS 6.1.6, Apple TV 6.0.2 fix a fundamental bug in Apple’s SSL implementation

Apple has released a security update for iOS 7 updating to iOS 7.0.6. [1] This is another rather large download weighing in at 1.39GB. This same SSL vulnerability exists for iOS6 and AppleTV and are patched via iOS 6.1.6, Apple TV 6.0.2. Due to the nature of the vulnerability you should apply these updates ASAP.

❝ Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. ❞

❝ A major flaw in Apple software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed. … The issue is a “fundamental bug in Apple’s SSL implementation,” said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk. … ❞ [4]

❝ Apple sent out 3 bulletins and OS updates today (iOS 6.1.3, iOS 7.0.6, and Apple TV 6.0.2) all fixing a bug that would potentially allow SSL/TLS connections to be vulnerable to undetected man-in-the-middle attacks. ❞ [5]


[1] About the security content of iOS 7.0.6 HT6147 (2014-Feb-21) [Apple]
[2] About the security content of iOS 6.1.6 HT6146 (2014-Feb-21) [Apple]
[3] >About the security content of Apple TV 6.0.2 HT6148 (2014-Feb-21) [Apple]
[4] Apple security flaw ‘as bad as you could imagine’ (2014-Feb-24) [AFR]
[5] Apple updates iOS and Apple TV (2014-Feb-22) [SANS]
[6] iOS SSL vulnerability also present in OS X (2014-Feb-23) [SANS]

This entry was posted in apple, patch, security and tagged , . Bookmark the permalink.

One Response to iOS 7.0.6, iOS 6.1.6, Apple TV 6.0.2 fix a fundamental bug in Apple’s SSL implementation

  1. Interestingly, I have been unable to download the iOS 6.1.3 iPhone Software Update (784.9MB) for my iPhone 3GS via iTunes, but was able to patch to iOS 6.1.3 via the patch offered via Settings on the iPhone (12MB) on WiFi. Something appears to be dodgy in the iTunes delivery method as it has failed at least 10 times over two days on a very high bandwidth connection.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s