Offentliche Verwaltung Deutschland Group

 View Only

Apple's SSL bug in iOS and OS X - CVE-2014-1266 

Feb 25, 2014 05:33 AM

Apple released a security update of iOS 7.0.6 - details as follows:


Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID-> CVE-2014-1266:

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.



The released security update fixes a bug with SSL implementation on iOS that would allow man-in-the-middle attacks to intercept the SSL data. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple already issued a fix for iOS in version 7.0.6. and according to Apple similar fix for OS X should be expected shortly.


Current recommendations for iOS version 7.0.5. or older:

- update to version 7.0.6 immediately (perform the update over trusted connection)


Current recommendations for OS X version older than 10.9.2 include:

- use alternate browser - currently Firefox and Chrome have been deemed safe from this bug as they are using own SSL/TLS libraries

- avoid using public and unsecured networks (especially WiFi networks)

- as soon as Apple release the fix for OS X apply the patch on the affected versions of software to remediate

- AV or IPS protection are not feasible for this issue



About the security content of iOS 7.0.6

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!

Apple security update fixes iOS vulnerability

Urgent iPhone and iPad security update, Mac OS X pending

Protect your Mac from SSL bug


0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.