Apple released a security update of iOS 7.0.6 - details as follows:
---------
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
CVE-ID-> CVE-2014-1266:
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.
Source: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266
-----------
The released security update fixes a bug with SSL implementation on iOS that would allow man-in-the-middle attacks to intercept the SSL data. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple already issued a fix for iOS in version 7.0.6. and according to Apple similar fix for OS X should be expected shortly.
Current recommendations for iOS version 7.0.5. or older:
- update to version 7.0.6 immediately (perform the update over trusted connection)
Current recommendations for OS X version older than 10.9.2 include:
- use alternate browser - currently Firefox and Chrome have been deemed safe from this bug as they are using own SSL/TLS libraries
- avoid using public and unsecured networks (especially WiFi networks)
- as soon as Apple release the fix for OS X apply the patch on the affected versions of software to remediate
- AV or IPS protection are not feasible for this issue
References:
About the security content of iOS 7.0.6
http://support.apple.com/kb/HT6147Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/Apple security update fixes iOS vulnerability
http://news.cnet.com/8301-13579_3-57619299-37/apple-security-update-fixes-ios-vulnerability/Urgent iPhone and iPad security update, Mac OS X pending
http://www.welivesecurity.com/2014/02/22/urgent-iphone-and-ipad-security-update-mac-os-x-pendingProtect your Mac from SSL bug
http://reviews.cnet.com/8301-13727_7-57619382-263/protect-your-mac-from-ssl-bug/