Apple patches triple handshake, other vulnerabilities


Apple Tuesday pushed out security fixes for iOS and OS X that address a number of security bugs and vulnerabilities. One of the bigger issues is dubbed "triple handshake."

Apple describes it in its security bulletin that covers OS X 10.8 and later, iPhone 4 and later, iPad 2 and later, and iPod touch 5G and later.

An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL Description: In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.