- Experts have advised iPhone users to download iOS 7.0.6 as quickly as possible, which was rolled out by Apple on Friday
- Is thought users of iOS devices could have been at risk to the vulnerability for up to a year-and-a-half but there have been no reports of hacks
- Johns Hopkins cryptography professor in Baltimore, Maryland said that the bug was 'as bad as you can imagine'
iPhone
users have been blissfully unaware that for the past year-and-a half
they could have been the victim of 'hi-tech eavesdropping'
Security experts have warned that past iterations of iOS software - dating from as long ago as September 2012 - had a vulnerability that hackers could have exploited to see financial transactions, emails and Facebook activity.
They have advised iPhone users to download iOS 7.0.6 as quickly as possible, which was rolled out by Apple on Friday with a note about the patch.
A release note explained that the company has fixed the bug in which ‘an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS’.
'Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,' Apple said.
Experts are trying to work out the exact iOS update the bug first appeared in, but it is thought that it cropped up around a year and a half ago.
There have been no reports of hacks.
Secure Sockets Layer (SSL) ensures that communication between a browser and website servers are secure and Transport layer Security (TLS) is a newer way of doing the same thing, Gizmodo explained.
While users might not be aware of them, SSL and TLS mean that a browser and server can recognise each other to keep financial transactions and log-in information safe.
But iPhone and iPad users have not had the full benefit of this as the bug meant that Safari couldn’t recognise if the servers it was talking to were the valid account, leaving users open to what are known as ‘man in the middle’ attacks, or hi-tech eavesdropping.
Security
experts have warned that past iterations of iOS dating from as long ago
as September 2012, had a vulnerability that hackers (illustrated) could
exploit to see financial transactions, emails and Facebook activity
HOW TO PROTECT YOURSELF
Experts suggest that anyone using an iOS device downloads 7.0.6 immediately.
Gizmodo advised that anyone with an iPod touch downloads iOS 6.1.6 instead.
There is currently no official fix for the vulnerability for OS X but Apple said one is coming 'very soon'.
In the meantime experts suggest that MacBook users should use Google Chrome or Firefox to browse the web, which are not affected on OS X.
They also say that secure networks should thwart any attempts by hackers to perform ‘man in the middle’ attacks.
Gizmodo advised that anyone with an iPod touch downloads iOS 6.1.6 instead.
There is currently no official fix for the vulnerability for OS X but Apple said one is coming 'very soon'.
In the meantime experts suggest that MacBook users should use Google Chrome or Firefox to browse the web, which are not affected on OS X.
They also say that secure networks should thwart any attempts by hackers to perform ‘man in the middle’ attacks.
Experts claim the Apple bug made it potentially easy for hackers to do just this – although it is not known whether the bug was exploited by anyone.
One New-York based security expert, Jeffrey Grossman, wrote on Twitter that iPhone users have been susceptible to attacks since September 2012.
Security experts have been cagey about revealing the ins and outs of the bug, but Matthew Green, a Johns Hopkins cryptography professor in Baltimore, Maryland told Reuters: 'The bug is as bad as you can imagine’.
Apple said: 'For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.'
Experts said Apple has now fixed the problem for iPhone and iPad users in its latest iOS 7.0.6 release, but some users have reported teething problems in downloading it.
While it is not thought the problem is widespread, a handful of iPhone 5S and iPad Air owners took to Twitter to vent their anger about how their devices were unable to function during and after they installed the update on the move, Techienews reported.
The
bug also affects MacBooks' OS X and currently there is not yet a fix
for the vulnerability. However, the California company told Reuters that
a fix for Mac computers (pictured) will be available 'very soon'
However, the California company told Reuters that a patch for Mac computers will be available 'very soon'.
Apple spokeswoman Trudy Muller said: 'We are aware of this issue and already have a software fix that will be released very soon.'
It is not known how Apple found out about the vulnerability, which has presumably gone unnoticed for some time.
Google engineer Adam Langley wrote on his personal blog that the flaw might not have shown up without complex and thorough testing.
'I believe that it's just a mistake and I feel very bad for whomever might have slipped,' he said.
No comments:
Post a Comment