Vjeran Pavic / Re/code
Apple has just pushed out software updates that fix security vulnerabilities on the iPhone and iPad and certain versions of Mac OS X Mountain Lion and Mavericks. It has also circulated a second update that patches a vulnerability that exposes the most recent model of AirPort Extreme to the Heartbleed bug.
First the Heartbleed issue: The update applies only to the latest model of AirPort Extreme and Time Capsule introduced last June. The updates correct a weakness in OpenSSL, the security software hit by the Heartbleed bug, that existed only when Apple’s Back to My Mac feature was enabled. It doesn’t affect older AirPorts and Time Capsules.
The other updates for the iPhone and iPad correct a flaw that would allow an attacker to bypass certain encryption protections that are meant to prevent eavesdropping on data traffic.
According to advisories posted by Apple to the Bugtraq mailing list, (see here) the flaw would allow an attacker to carry out what’s know as a “triple handshake,” essentially establishing two connections at once with the same encryption keys. Once complete, the attacker could renegotiate the connections with his or her own data and cause the connections to forward to each other. This would allow the capture of data — essentially eavesdropping — or the changing of operations performed during a remote SSL session.
A third patch issued for Mac OS (Bugtraq post here) fixes several vulnerabilities. One would allow an attacker to strip away the security settings of a Web connection by forcing an early close of the connection. Another would allow the creators of malicious websites to execute arbitrary code or terminate applications running on the system of a visitor.
It has been an eventful few months on the Apple security front. Earlier this year the company patched another SSL vulnerability known as Gotofail that would allow attackers to bypass security protocols.