Yet another major security flaw has come to light, and Apple has released updates for its two major operating systems to address it. The HTTP "triple handshake" bug is considered extremely serious because it can be exploited to allow attackers to circumvent encryption on communications which rely on SSL for security.
Ars Technica reports that devices running iOS 7, OS X 10.9.x (Mavericks) and OS X 10.8.x (Mountain Lion) are vulnerable unless they install the latest updates. Apple's release notes for iOS 7.1.1 describe four security-related fixes, including one for the
triple handshake bug, known as
CVE-1295..
Apple's description doesn't include a severity rating, but describes the potential impact as "An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL."
The bug allows attackers trick a client into sending them credentials by spoofing a connection to another trusted server. The credentials could then be reused with other servers, which would simply accept them without question. Apple's fix now ensures that credentials are verified against the original SSL certificate for each connection.
The update comes hot on the heels of
another disclosure by Apple that its AirPort Extreme and AirPort Time Capsule routers were vulnerable to the Heartbleed OpenSSL bug. A patch for those products has also been released.
Apple was also forced to issue emergency OS updates in February this year for a security bug dubbed
GoToFail, which tricked Web browsers into accepting SSL certificates without legitimate signatures.
