iOS 7.0.6 Stories June 9, 2014

New lock screen bypass discovered in iOS 7, allows access in 5 seconds under certain circumstances (Update: Resolved)

Update 6/30: It appears iOS 7.1.2 has resolved the issue: A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode.

A new lock screen bypass has been discovered in iOS 7 that allows anyone to skip the default authentication method. The shocking part about this bypass is that it can be done in under five seconds. This isn’t the first time that lock screen security on iOS has been compromised, but this does require very specific conditions in place in order to work.

iOS 7.0.6 Stories February 22, 2014

Update: Apple says an OS X fix is coming soon.

Yesterday Apple released iOS update 7.0.6 alongside new builds for iOS 6 and Apple TV  that it said provided “a fix for SSL connection verification.” While Apple didn’t provide much specific information on the bug, it wasn’t long before the answer was at the top of Hacker News. It turns out that minor security fix was actually a major flaw that could in theory allow attackers to intercept communications between affected browsers and just about any SSL-protected site. Not only that, but the bug is also present in current builds of OS X that Apple has yet to release a security patch for.

Researchers from CrowdStrike described the bug in a report:

“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),”

Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above): expand full story

iOS 7.0.6 Stories February 21, 2014

After releasing iOS 7.0.5 at the end of last month to fix network errors for Chinese users, Apple has just released iOS 7.0.6 (Build 11B651) alongside iOS 6.1.6 (build 10b500) for the iPhone 3GS and 4th-gen iPod touch and Apple TV version 6.0.2 with a security fix related to SSL connection verification.  expand full story

Powered by WordPress.com VIP