{"id":22345,"date":"2014-02-24T15:57:21","date_gmt":"2014-02-24T23:57:21","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=22345"},"modified":"2016-10-06T12:38:24","modified_gmt":"2016-10-06T19:38:24","slug":"apple-patches-major-data-security-flaw-with-ios-update","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apple-patches-major-data-security-flaw-with-ios-update\/","title":{"rendered":"Apple Patches Major Data Security Flaw with iOS Update"},"content":{"rendered":"

Apple has patched a major data security flaw with its latest iOS update. The tech company pushed two software updates for iOS users with the release of iOS 6.1.6 for iPhone 3GS and iOS 7.0.6 for iPhone 4 and later. These updates provide \u201ca fix for SSL connection verification,\u201d according to the update notices.<\/p>\n

\"iOS<\/a><\/p>\n

The iOS 6.1.6 update is available for: iPhone 3GS, iPod touch (4th<\/sup> generation).<\/p>\n

The iOS 7.0.6 update is available for: iPhone 4 and later, iPod touch (5th<\/sup> generation).<\/p>\n

Both iOS 6.1.6 and iOS 7.0.6 updates patch the same vulnerability (CVE-2014-1266), from which an attacker with a privileged network position may capture or modify data in sessions protected by SSL\/TLS. Apple also released Apple TV 6.0.2 with fixes for the same SSL flaw<\/a>.<\/p>\n

Apple described<\/a> the vulnerability as follows:<\/p>\n

CVE-2014-1266<\/a> : Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.<\/p><\/blockquote>\n

Apple released the patch for iOS and Apple TV on Friday. News of the update quickly spread over the weekend after several researchers reported that the flaw also affected OS X 10.9 Mavericks and possibly other OS X versions. InfoWorld mentioned<\/a>, \u201cOn OS X, the flaw is likely limited to SSL connections over unsecured Wi-Fi networks, though only in Safari.\u201d An Apple spokesperson said that a fix for OS X is due “very soon<\/a>.”<\/p>\n

InfoWorld further explained the impact of this vulnerability:<\/p>\n

[C]ommunications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.<\/p><\/blockquote>\n

With Macs likely still affected by this vulnerability, Dan Goodin over at Ars Technica offered<\/a> some recommendations for OS X users:<\/p>\n

For the time being, people using Macs should avoid using public networks, a step that can thwart many criminal eavesdroppers but will do little to prevent surveillance by the National Security Agency and other state-sponsored spies. Because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn’t be considered a panacea.<\/p><\/blockquote>\n

From the WSJ, this video does a great job summarizing what Mac users need to know about Apple’s security flaw:<\/p>\n