Apple Issues Critical Vulnerability Patch for the Majority of its Devices

Photo credit: TonyV3112/
Photo credit: TonyV3112/

The accompanying explanation from Apple is simple and sparse: "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS... Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."

This describes a failure to correctly implement SSL, which in turn means that communications that users have believed to be protected by encryption have not been securely encrypted. Apple has not disclosed when it discovered the flaw, nor whether it is known to have been exploited. However, the range of devices patched indicates it is a systemic problem that has existed over a long timeframe. Experts have said it also affects OS/X, which would include Apple's desktop and laptop computer range. OS/X has not yet been patched, but Apple is believed to be working on a fix. Until then, OS/X users should be wary of sending anything confidential via their computers.

The problem seems to be a failure to adequately check the credentials of the destination server. This would allow anyone who could sit between the user and destination to operate a man-in-the-middle operation. Since its credentials would not be checked, it would be assumed to be correct and would be able to read the encrypted traffic. In an organized attack – such as those by serious criminals or spy agencies – the traffic would be sent on to the legitimate destination, and the user would be none the wiser. 

Adam Langley, a Google security engineer with perhaps an unfortunate surname under current circumstances, wrote in his ImperialViolet blog, "This sort of subtle bug deep in the code is a nightmare. I believe that it's just a mistake and I feel very bad for whomever might have slipped in an editor and created it."

Nevertheless, serious questions must be asked of and by Apple over how such a simple but catastrophic coding error could slip through all coding validation checks.

What’s Hot on Infosecurity Magazine?