Apple Patches 'Triple Handshake' Bug, Other Flaws

Yet another serious security bug has been located and patched, this time in Apple's iOS mobile platform and two versions of its desktop counterpart OS X. Updates to iOS and OS X, released yesterday (Apr. 22) patch a flaw that leaves some data transmissions wide open to snoops, along with several other software flaws particular to each platform. 

The "Triple Handshake" bug, as it's called, affects all versions of iOS, plus OS X 10.8 Mountain Lion and 10.9 Mavericks. The patch is part of Apple's latest update, which also includes patches for several other more minor issues in Safari, Apple TV and other Apple products. Mobile users should upgrade to iOS 7.1.1 (up from 7.1), and OS X users should install the available updates.

MORE: 7 Ways to Lock Down Your Online Privacy

The bug is located in the secure transport mechanism, which regulates the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption that protects inbound and outbound traffic. It only affects applications that use client certificates to establish secure connections with verified users.

The name "Triple Handshake" comes from the way the bug operates: attackers could create two encrypted connections, or "handshakes," on an affected device, and then insert their own data into one of the connections, thereby creating a "handshake" between the attacker's device and the target, entirely circumventing SSL encryption and proper authentication. 

By exploiting this bug, cybercriminals could conduct "man-in-the-middle" attacks, capturing unprotected data in transit to and from affected devices.

Because it only affects certain Apple applications that use certificates, experts say the Triple Handshake bug is less serious than the "Goto Fail" bug, a separate flaw in Apple SSL connections discovered and patched in February. It's far less severe than the Heartbleed bug discovered earlier this month, which was also SSL-based, because Heartbleed affected so many websites and networking devices and exploits based on it would have been difficult to detect.  

Still, Triple Handshake is serious for the people affected, and the end result is the same as Goto Fail and Heartbleed: supposedly protected information is laid bare. Users of iOS devices should update to the new version, iOS 7.1.1, which contains the "Triple Handshake" patch. The OS X versions, 10.8 Mountain Lion or 10.9 Mavericks, don't get a new number in their names but they do get patches that fix the issue.

OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9) all received other security updates and patches, including a Safari upgrade to 7.0.3, which patches a few remote execution bugs in the browser. So if you missed the Safari upgrade, installing the OS X upgrade will also patch Safari.

OS X Snow Leopard 10.6 once again received no patches, which has led security experts to hypothesize that Apple is, at least unofficially, no longer supporting the 5-year-old operating system. Apple TV set-top boxes also got an upgrade, from 6.1 to 6.1.1.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
2 comments
Comment from the forums
    Your comment
  • Dr-Emmerich
    Released, downloaded and patched in a few hours...try that with Android..lol
  • ammaross
    Quote:
    Released, downloaded and patched in a few hours...try that with Android..lol

    When an OS patch is released, it's downloaded and patched within a few hours as well on Android. The difficulty is getting the carriers to finish validating their bloatware and push out the upgrade. Nexus devices don't have such troubles, but they can most definitely improve the way bug-fix patches and the like can/should be handled.