Apple Patches 'Triple Handshake' Bug, Other Flaws
Yet another serious security bug has been located and patched, this time in Apple's iOS mobile platform and two versions of its desktop counterpart OS X. Updates to iOS and OS X, released yesterday (Apr. 22) patch a flaw that leaves some data transmissions wide open to snoops, along with several other software flaws particular to each platform.
The "Triple Handshake" bug, as it's called, affects all versions of iOS, plus OS X 10.8 Mountain Lion and 10.9 Mavericks. The patch is part of Apple's latest update, which also includes patches for several other more minor issues in Safari, Apple TV and other Apple products. Mobile users should upgrade to iOS 7.1.1 (up from 7.1), and OS X users should install the available updates.
The bug is located in the secure transport mechanism, which regulates the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption that protects inbound and outbound traffic. It only affects applications that use client certificates to establish secure connections with verified users.
The name "Triple Handshake" comes from the way the bug operates: attackers could create two encrypted connections, or "handshakes," on an affected device, and then insert their own data into one of the connections, thereby creating a "handshake" between the attacker's device and the target, entirely circumventing SSL encryption and proper authentication.
By exploiting this bug, cybercriminals could conduct "man-in-the-middle" attacks, capturing unprotected data in transit to and from affected devices.
Because it only affects certain Apple applications that use certificates, experts say the Triple Handshake bug is less serious than the "Goto Fail" bug, a separate flaw in Apple SSL connections discovered and patched in February. It's far less severe than the Heartbleed bug discovered earlier this month, which was also SSL-based, because Heartbleed affected so many websites and networking devices and exploits based on it would have been difficult to detect.
Still, Triple Handshake is serious for the people affected, and the end result is the same as Goto Fail and Heartbleed: supposedly protected information is laid bare. Users of iOS devices should update to the new version, iOS 7.1.1, which contains the "Triple Handshake" patch. The OS X versions, 10.8 Mountain Lion or 10.9 Mavericks, don't get a new number in their names but they do get patches that fix the issue.
OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9) all received other security updates and patches, including a Safari upgrade to 7.0.3, which patches a few remote execution bugs in the browser. So if you missed the Safari upgrade, installing the OS X upgrade will also patch Safari.
OS X Snow Leopard 10.6 once again received no patches, which has led security experts to hypothesize that Apple is, at least unofficially, no longer supporting the 5-year-old operating system. Apple TV set-top boxes also got an upgrade, from 6.1 to 6.1.1.