Apple patches iPhones, iPads, iMacs and MacBooks against critical security holes

Graham Cluley

If you are using Apple computers or iDevices, I recommend that you update your operating system as soon as possible – because on Tuesday the Cupertino-based firm published some critical security updates.

iPhone and iPad users are advised to update to iOS 7.1.1, which includes fixes for some 19 security flaws, including what is described as a “triple handshake” attack.

Here’s what Apple’s own security advisory has to say about that particular vulnerability:

Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL

Description: In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.

In layman’s language, bad guys could inject data with malicious intent into what was thought to be a secure connection.

Ouch.

(By the way, if you want the full nerdy details of “triple handshake” attacks, check out some of the work done by Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti from the Prosecco research team at INRIA Paris-Rocquencourt).

That’s not the only iOS flaw that has been fixed, of course. Other vulnerabilities patched by iOS 7.1.1 include security holes that could be exploited by boobytrapped websites to remotely execute code on an iDevice (a technique often used in the past by jailbreakers).

OS X Mavericks, meanwhile, receives Security Update 2014-002, bundling together many security patches including fixes that could see hackers infecting victims’ computers via maliciously-crafted JPEG images with the intention of grabbing admin privileges.

In addition, Apple has updated Safari to version 7.0.3 – protecting against a bunch of very serious remote code execution holes revealed at the recent PWN2OWN vulnerability-hunting competition in Vancouver, where big bug bounties were paid out – and its Apple TV hockey pucks.

These security update come less than two months after Apple released critical security patches for OS X and iOS addressing the serious SSL “goto fail” security hole that made it possible for hackers to intercept supposedly secure communications between Apple computers and websites.

That flaw was monumentally embarrassing for Apple, as it became clear that a programming goof had introduced a security flaw that potentially allowed online attackers to grab your userid or passwords as you attempted to log into popular websites.

And this, remember, was before any of us had even heard of the Heartbleed bug that affected some versions of OpenSSL.

The vulnerabilities described above might not be as catastrophic as “goto fail” or Heartbleed, but many of them should still be considered critical.

Don’t delay, patch today.

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES