Apple SSL vulnerability and the enterprise

In January, Apple detected a flaw in it’s IOS (iPhone, iPad, etc) and OSX operating systems which would allow an attacker to view encrypted data streams via man-in-the-middle attack or a malicious local application by presenting the system with an invalid SSL certificate. The code which is responsible for verifying the validity of the certificate presented has a flaw which returns that the certificate is valid regardless of whether or not it actually passes the check. 5 days ago, Apple released an update to IOS 6 and 7 to fix the bug on vulnerable portable devices, and a patch for vulnerable OSX operating systems was released yesterday.

Working exploit code has reportedly been developed and will likely be released to the masses, however the developers note that working exploits are likely active in the wild at this time. UPDATE: publicly released POC code here, although I must disclaim that I have not had the opportunity to play with this yet – my vulnerable device is safely shut down in my desk drawer at home!

The good news is that a patch has been issued, but the bad news is that many companies (particularly small and mid-size businesses) do not have mobile device management platforms to enforce patch installation. Due to the prevalence of iPhones in the SMB world, particularly personal devices, which have been granted access to corporate email, organizations should immediately take steps to identify such devices which have access to company email or other resources and ensure that the appropriate patch has been installed.

IOS devices should be updated to version 7.0.6 or version 6.1.6 depending upon which OS version is installed. IOS users with devices that were initially running IOS 6 and can be upgraded to IOS 7 (such as the iPhone 4 / 4S or the iPad 2) should note that the 6.1.6 update has not been released for these devices and they must be updated to the current IOS 7 revision. There are likely a large number of such devices in the wild in which users have intentionally neglected to install IOS 7 due to battery and performance issues on older devices.