Apple has released an emergency, a security update ( iOS 7.0.6) to fix a mistake in the programming source code of the software system. The hotfix is available for download for iPhone , iPad 2 and iPod Touch last generation . The operating system of the Mac should be concerned too, but the update has not been performed.
With this bug, security testing of the connection is not made, allowing an attacker to intercept communications between the computer and the network. This is an attack type “man in the middle” becomes possible, the targeted computer exchanging data with the pirate and not with the server remote. This requires that the attacker is connected to the same LAN. A cafe would do, for example, and could allow an attacker to impersonate any site.
An Apple developer has published on its website the details of this error. It is situated in a library of published procedures and, more specifically, to a routine for verifying the security of a communication. There is a “goto fail” statement repeated twice by mistake.
“This kind of subtle bug is a nightmare , says the Apple developer in his post. I think it’s just a mistake. “According to him, OS X 10.9 is also reached (i.e the Mac ), as well as “some versions of iOS 6” .
The effect is devastating. The first case is the instruction to be followed if the previous condition is fulfilled. This is the “if” of a type test “if condition then do this.” The second case, it is considered the next instruction. So it is always executed. At this point, it will always “goto fail”. The “fail” in question is a tag end of the procedure, which prepares sending the value indicating if there is an error or not. All checks lying after this “goto” untimely will never run: these are doors open to a pirate.