Apple Patches OS X and iOS, Provides Heartbleed Update
Apple is updating its iOS mobile operating system, the OS X desktop operating system and the firmware on the Airport WiFi access point for security vulnerabilities with a series of security updates released on April 22.
Among the patched issues, several affect both iOS and OS X, one of which is a fix for the so-called "triple handshake" attack, identified as CVE-2014-1295.
"In a triple handshake attack, it was possible for an attacker to establish two connections that had the same encryption keys and handshake, insert the attacker's data in one connection and renegotiate so that the connections may be forwarded to each other," Apple warned in its advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."
There is also a flaw in the CFNetwork HTTP protocol implementation in both iOS and OS X; the vulnerability is identified as CVE-2014-1296.
"Set-cookie HTTP headers would be processed even if the connection closed before the header line was complete," Apple warned. "An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie."
Inside the IOS 7.1.1 update, Apple is providing a number of security fixes for the WebKit engine that powers the Safari Web browser. The fixes overlap with ones that Apple provides users of the desktop edition of Safari in an update first released April 1.
Among the patched WebKit flaws, there are two that were originally first publicly demonstrated at the March Pwn2own hacking event, sponsored by Hewlett-Packard's Zero Day Initiative (ZDI).
Apple is now also releasing a Heartbleed-related patch for its AirPort Base Station WiFi access point. The Heartbleed vulnerability was first publicly disclosed April 7 and affects the open-source OpenSSL cryptographic library.
"An attacker in a privileged network position could obtain information from process memory," Apple warned in its AirPort advisory. "This issue was addressed through additional bounds checking."
Apple notes that only 802.11ac enabled AirPort Extreme and AirPort Time Capsule base stations are at risk and then only when the users have the "Send Diagnostics" feature enabled.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.