Apple Inc. (NASDAQ: AAPL) posted patches to its iOS mobile operating systems on Friday to fix a hole in iOS 6 and iOS 7 that would have allowed “an attacker with a privileged network position [to] capture or modify data in sessions protected by SSL/TLS.” The secure transport layer “failed to validate the authenticity of the connection.” Apple has fixed the problem by “restoring missing validation steps.”
This is a pretty big deal. It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.
Given the severity of the potential damage, Apple has taken a low-key approach to notifying users of the harm to which they are exposed. The company has pushed a patch to iPhone users, but the company’s note says only, “This security update provides a fix for SSL connection verification,” and contains a link to a page on Apple’s support site. The update gives no sense of urgency about installing the patch.
This has to be embarrassing for Apple. SSL (secure socket layer) has been around for about 20 years and implementing it properly should be a no-brainer for a company like Apple. Perhaps that is why the company’s response has been so low-key.