Apple released a security update of iOS 7.0.6 - details as follows:
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.
The released security update fixes a bug with SSL implementation on iOS that would allow man-in-the-middle attacks to intercept the SSL data. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple already issued a fix for iOS in version 7.0.6. and according to Apple similar fix for OS X should be expected shortly.
Current recommendations for iOS version 7.0.5. or older:
- update to version 7.0.6 immediately (perform the update over trusted connection)
Current recommendations for OS X version older than 10.9.2 include:
- use alternate browser - currently Firefox and Chrome have been deemed safe from this bug as they are using own SSL/TLS libraries
- avoid using public and unsecured networks (especially WiFi networks)
- as soon as Apple release the fix for OS X apply the patch on the affected versions of software to remediate
- AV or IPS protection are not feasible for this issue
About the security content of iOS 7.0.6
Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!
Apple security update fixes iOS vulnerability
Urgent iPhone and iPad security update, Mac OS X pending
Protect your Mac from SSL bug