I’m usually kinda lax on installing OS updates, but I just came across the iOS 7.0.6 announcement. It’s pretty scary:
Apparently this allowed a certain category of attackers (“with a privileged network position,” so not just anybody) to see or modify data ostensibly protected by SSL. How could the session not be properly validated?
I don’t see many details online yet (look at the CVE site later) but now that a patch is available there will presumably be more discussion soon.
In the meantime, I’d be making with the updating…
Just found this, some mostly unnamed researchers have looked at the patch and determined OS X has the same problem. Ouch.
Apple security flaw could allow hackers to beat encryption
Update the Second: Well isn’t this interesting…
The issue is a programming error, one that circumvented a necessary verification condition with an errant line of code. Every single programmer ever has made this error at some point, sometimes after an embarrassingly large number of years of professional work.
The hard part is making sure something or someone in your process catches it before it ships, because even the best programmers get tired and miss something. And that is a subject for an entirely different blog.
Leave a Reply