Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.
The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such “man-in-the-middle” attackers could exploit the bug by abusing the “triple handshake” carried out when secure connections are established by applications that use client certificates to authenticate end users.
Erano giorni che Apple diceva che i suoi prodotti erano immuni da Hearthbleed; adesso sappiamo il motivo, ovvero che come al solito Apple fa da sé ed aveva una sua versione del bug.
Da iPhones and Macs get fix for extremely critical “triple handshake” crypto bug | Ars Technica.
Grazie ad Erix per la segnalazione
* * *
- eDue – Heartbleed Bug