Apple Bug Bad. Patch Now. Here Are Good Writeups
Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points:
- Apple normally doesn’t issue single-bug out-of-cycle security patches for non-public vulnerabilities. They especially don’t release a patch when the same vulnerability may be present on OS X but there isn’t an OS X patch yet. I hate speculating, especially where Apple is concerned, but Apple has some reason for handling this bug this way. Active exploitation is one possibility, and expectations of a public full disclosure is another.
- The bug makes SSL worthless if an attacker is on the same network as you.
- OS X appears vulnerable (10.9 for sure). There is no public patch yet. This will very likely be remediated very quickly.
- A lot of bad things can be done with this, but it isn’t a remotely exploitable malware kind of bug (yes, you might be able to use it locally to mess with updates – researchers will probably check that before the weekend is out). It is bad for Man in the Middle (MitM) attacks, but it isn’t like someone can push a button and get malware on all our iOS devices.
- It will be interesting to see whether news outlets understand this.
The best technical post is at ImperialViolet. They also have a test page.
If you are in an enterprise, either push the update with MDM as soon as possible, or email employees with instructions to update all their devices.