Apple’s latest security update became available on Friday, though it is unclear exactly the full nature of the security issues. However, it was definitely critical and apparently has been a longstanding issue.
Apple notified users on their support page: “iOS 7.0.6; Data Security; Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later:
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Wired provided an inside scoop saying: “[The] terse description in Apple’s announcement yesterday had some of the internet’s top crypto experts wondering aloud about the exact nature of the bug. Then, as they began learning the details privately, they retreated into what might be described as stunned silence. “Ok, I know what the Apple bug is,” tweeted Matthew Green, a cryptography professor at Johns Hopkins. “And it is bad. Really bad.”
This update supposedly fixes a problem in SSL connection verification. SSL is an acronym for secure socket layer, which allows data to be encrypted when sent over the Internet. The security issues affected not only iPhones, iPods and iPads, but also laptops and desktops, which could have been affected more so. Both laptops and desktops are without current security updates.
The fact that e-mails and sensitive data were this accessible via interception and decryption is very much a dropping of the ball on Apple’s part. Security and encryption is by far the most important safety protocol there is today, and a major vendor like Apple waiting so long to fix this bug is shocking.
To counteract this embarrassment, Apple will now need to create a significant security push and win back the lost trust.