Apple security update fixes iOS vulnerability
The tech giant fixes a security problem in iOS that affected encrypted connections.
SSL, or Secure Sockets Layer, is one of the most basic forms of encrypting Internet traffic. Without it, almost anybody can see what you're doing online. According to Apple's full description of the update, the software previously had problems validating the authenticity of the connection, and the software fix restores steps that were missing in the validation process.
The company said the fix would stop an attacker from capturing and modifying data when supposedly shielded by SSL.
The patch is also available for older versions of Apple's operating system, with an iOS 6.1.6 update. The fix comes weeks after another minor iOS 7 update, which had to do with network errors in China. A more robust update, iOS 7.1, is expected next month.
Apple has been mum regarding specific details of the bug. So for that reason, it's difficult to gauge the magnitude of the situation. "It has the potential to be a very serious issue," said Jonathan Zdziarski, an iOS forensics expert. But he emphasized that many of the conclusions we can draw are only speculation, since Apple only vaguely and briefly described the vulnerability.
He did point to the possibility of man-in-the-middle attacks, where an eavesdropper could intercept data from a user's phone. He also points out that Apple didn't specifically mention any certain restrictions in its explanation of the vulnerability -- like, say, the bug only being applicable when a certain app is running. The lack of that caveat could indicate that the bug potentially affected the whole phone, giving an attacker complete control over the device and personal information on it.
Apple did not return a request for comment. We'll update this post if we hear back.
Update, 5:13 p.m. PT: Adds comments from an iOS forensic expert.