A patch for Apple’s iOS 7 fixes an SSL vulnerability, but also exposes other devices to man-in-the-middle (MitM) attacks, researchers said.
The software “failed to validate the authenticity of the connection,” Apple said.
An update released for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later. However, the same SSL encryption flaw affects Apple laptops and desktop computers running Mac OSX.
Apple did not yet release patches for these devices, so user credentials can end up intercepted by anyone appearing to own a trusted certificate (used to make secure connections to a server over the Internet) through a man-in-the-middle attack, a form of active eavesdropping in which the attacker intercepts the unencrypted communication between the sender and a website, like Facebook or Google, for example.
“The vulnerability resides in the Secure Transport implementation which fails to provide hostname verification. This means any digital certificate would validate for any number of websites as long as it is valid, thus leaving the user open to a man-in-the middle attack scenario,” said Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender. “Apparently, the bug is caused by a duplicate Goto instruction that hijacks logic in the SSLVerifySignedServerKeyExchange function.”