Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Yet another serious security bug has been located and patched, this time in Apple's iOS mobile platform and two versions of its desktop counterpart OS X. Updates to iOS and OS X, released yesterday (Apr. 22) patch a flaw that leaves some data transmissions wide open to snoops, along with several other software flaws particular to each platform.
MORE: 7 Ways to Lock Down Your Online Privacy
The bug is located in the secure transport mechanism, which regulates the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption that protects inbound and outbound traffic. It only affects applications that use client certificates to establish secure connections with verified users.
The name "Triple Handshake" comes from the way the bug operates: attackers could create two encrypted connections, or "handshakes," on an affected device, and then insert their own data into one of the connections, thereby creating a "handshake" between the attacker's device and the target, entirely circumventing SSL encryption and proper authentication.
By exploiting this bug, cybercriminals could conduct "man-in-the-middle" attacks, capturing unprotected data in transit to and from affected devices.
Because it only affects certain Apple applications that use certificates, experts say the Triple Handshake bug is less serious than the "Goto Fail" bug, a separate flaw in Apple SSL connections discovered and patched in February. It's far less severe than the Heartbleed bug discovered earlier this month, which was also SSL-based, because Heartbleed affected so many websites and networking devices and exploits based on it would have been difficult to detect.
Still, Triple Handshake is serious for the people affected, and the end result is the same as Goto Fail and Heartbleed: supposedly protected information is laid bare. Users of iOS devices should update to the new version, iOS 7.1.1, which contains the "Triple Handshake" patch. The OS X versions, 10.8 Mountain Lion or 10.9 Mavericks, don't get a new number in their names but they do get patches that fix the issue.
OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9) all received other security updates and patches, including a Safari upgrade to 7.0.3, which patches a few remote execution bugs in the browser. So if you missed the Safari upgrade, installing the OS X upgrade will also patch Safari.
OS X Snow Leopard 10.6 once again received no patches, which has led security experts to hypothesize that Apple is, at least unofficially, no longer supporting the 5-year-old operating system. Apple TV set-top boxes also got an upgrade, from 6.1 to 6.1.1.
Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
