On Friday, February 21st, Apple released a seemingly innocuous update to their iOS operating system, update 7.0.6. You should be forgiven for not thinking much of this. Most 0.0.x updates fix minor bugs addressing specific user situations. For example, 7.0.5 was not even released to iOS users outside of China since the fixes and updates in that release were Chinese-specific. Update 7.0.6 is dramatically different from previous 0.0.x updates.
Despite the minor-update version number, iOS 7.0.6 fixes a critical flaw in iOS security related to accessing secure websites, like your bank. If you’re running any version of iOS 7 prior to 7.0.6 or a version of iOS 6 prior to 6.1.6, this bug effects your iPhone and iPad. The respective updates are free and can be applied directly from your iDevice by going to Settings > General > Software Update. Download and install any available updates.
Background on the Flaw
You should apply the update; no question about it. If you’re interested in the background of what the flaw means, keep reading.
The flaw existing in iOS prior to 7.0.6 and 6.1.6 effects how the operating system and apps handle secure connections over https connections; again, like your bank, online shopping, secure email, etc. These https connections rely on protocols called SSL and TLS. When your device reaches out to make a secure connection with a web service, the service and your device perform what programmers call a “handshake” to negotiate how they’re going to talk to one another. The iOS flaw allows a nefarious third party to intercept your communication with the web service and read all of the traffic going each way. In security parlance, this is called a “man in the middle” attack because the bad actor inserts himself into the middle of your conversation for purposes of stealing passwords or other confidential data.
If you’d like more technical details on the vulnerability, here are some excellent resources:
For those of you who, in addition to using iPhones and iPads., also use Macs, there’s an additional bit of bad news. The same flaw that iOS suffers also exists in Mac OS 10.9 Mavericks, the latest release of Apple’s operating system. Versions of Mac OS prior to 10.9 are unaffected. There is also a patch for Mac OS, update 10.9.2, which addresses this vulnerability. You should apply it as soon as possible. For those not updating immediately, it’s our advice for users of 10.9 and 10.9.1 to rely on Chrome or FireFox instead of Safari for web browsing, and to avoid unsecured wireless networks (although that last bit is always and everywhere good advice).
If you have questions, feel free to contact us.