Voltage Security comment on latest iOS security flaw and patch
(M2 PressWIRE Via Acquire Media NewsEdge) Commenting on the latest iOS security flaw, which has now been patched, Mark Bower, VP at Voltage Security, answered the following:
1. What's the meaning of the flaw and what do users need to do now?
"The flaw basically means a critical check on the validity of a server's SSL certificate is ignored when an app is establishing a secure connection. That might be your electronic banking application, your email, or a browser. This means that for quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices.
This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted. The impact is to the many commonly use browsers, email clients, instant messaging clients, social network apps and so on.
The bug has been fixed in the latest iOS release, but the current Mac OS X also appears to have the flaw and until a patch is available, OS X based laptops, desktops and servers are vulnerable."
2. Should users download the patch?
"They should patch immediately. This is a major bug that puts users' sensitive data like login credentials, passwords, email, and browsing data at risk. When Apple releases for OS X, users should patch at their earliest opportunity. Until then, users should be very wary of accessing web content that is sensitive, especially on a network that attackers may also be on at the same time - which is more often than you might think."
3. What else?
"Even the best companies can make mistakes. In this case a major flaw persisted for a long time. Using solutions for data protection from leading experts in data security who use secure software development practices, security validation and independent tests can help avoid this kind of situation when selecting tools for enterprise data protection."
+44 (0)207 183 2834
(c) 2014 M2 COMMUNICATIONS
[ InfoTech Spotlight's Homepage ]