Skip to main content

Apple patches yet another SSL flaw in iOS and OSX

Apple has patched up a security flaw that allowed iOS and OSX to be infiltrated in relation to data on SSL connections that could easily be intercepted.

Related: Apple OS X Mavericks users attacked by phishing scammers

A security update issued by the firm on Tuesday detailed the bug as well as various others that were all deemed serious by Apple with iOS 7.1.1 update as well as new versions of OS X Mountain Lion and Mavericks aiming to address the issue.

The worst vulnerability that has been patched, according to Threat Post, was an issue across iOS and OSX that allowed an attacker acting as a man-in-the-middle position on a user network to change a connection’s properties and intercept secure traffic.

“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” stated Apple’s advisory.

SSL’s fortunes are at a particularly low ebb right now following the discovery of the OpenSSL Heartbleed vulnerability that sparked a global panic earlier this month. Apple patching up the latest bug that has affected OS X Mountain Lion 10.8.5 and OS X Mavericks 10.9.2 as well as iOS 7.1 and earlier could go some way to instilling a modicum of confidence in the security layer.

Various other flaws were also patched up in the releases with two buffer overloads that could lead to remote code execution in OSX Mavericks and both affected different parts of OSX.

“Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie,” Apple added.

There are two other vulnerabilities in OSX that could have allowed a hacker to bypass the exploit mitigation ASLR with one flaw in the IOKit kernel and the other in the OSX kernel, and it also affected iOS 7.1 users.

Related: How to install the OS X 10.9.2 update and make your Mac secure

News of another security flaw in Apple’s two OS’s follows a security breach back in February that hit both iOS and OS X in relation to a vulnerability in the way SSL and TSL authentication is handled and it allowed attackers to capture or modify data.