On Friday, Apple released a patch for quite a substantial security vulnerability in its iOS operating system that meant hackers could read an modify encrypted communications on iPhone, iPad and other iOS devices. In an email to IT Security Guru, Mark Bower, VP at Voltage Security answers some important questions about what users should be aware of.
What’s the meaning of the flaw and what do users need to do now?
The flaw basically means a critical check on the validity of a server’s SSL certificate is ignored when an app is establishing a secure connection. That might be your electronic banking application, your email, or a browser. This means that for quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices.
This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted. The impact is to the many commonly use browsers, email clients, instant messaging clients, social network apps and so on.
The bug has been fixed in the latest iOS release, but the current Mac OS X also appears to have the flaw and until a patch is available, OS X based laptops, desktops and servers are vulnerable.
Should they download the patch?
They should patch immediately. This is a major bug that puts users’ sensitive data like login credentials, passwords, email, and browsing data at risk. When Apple releases for OS X, users should patch at their earliest opportunity. Until then, users should be very wary of accessing web content that is sensitive, especially on a network that attackers may also be on at the same time – which is more often than you might think.
Even the best companies can make mistakes. In this case a major flaw persisted for a long time. Using solutions for data protection from leading experts in data security who use secure software development practices, security validation and independent tests can help avoid this kind of situation when selecting tools for enterprise data protection.