Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points:

  • Apple normally doesn’t issue single-bug out-of-cycle security patches for non-public vulnerabilities. They especially don’t release a patch when the same vulnerability may be present on OS X but there isn’t an OS X patch yet. I hate speculating, especially where Apple is concerned, but Apple has some reason for handling this bug this way. Active exploitation is one possibility, and expectations of a public full disclosure is another.
  • The bug makes SSL worthless if an attacker is on the same network as you.
  • OS X appears vulnerable (10.9 for sure). There is no public patch yet. This will very likely be remediated very quickly.
  • A lot of bad things can be done with this, but it isn’t a remotely exploitable malware kind of bug (yes, you might be able to use it locally to mess with updates – researchers will probably check that before the weekend is out). It is bad for Man in the Middle (MitM) attacks, but it isn’t like someone can push a button and get malware on all our iOS devices.
  • It will be interesting to see whether news outlets understand this.

The best security pro article is over at ThreatPost.

The best technical post is at ImperialViolet. They also have a test page.

If you are in an enterprise, either push the update with MDM as soon as possible, or email employees with instructions to update all their devices.

Share: