Apple has been working hard to get its products into the enterprise but a new security vulnerability is about to put a black eye on their reputation. Sure, we know that many companies have security related issues but it’s the fact of the obvious oversight of this issue that will raise alarm bells.

On Friday, Apple revealed a significant bug in their SSL/TLS implementation:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Based on the report, it seems that Apple didn't include (proper) hostname verification for any iOS <7.0.6. See below for updated details.

Matthew D. Green, Assistant Research Professor at the Johns Hopkins Information Security Institute, notes that this is "seriously exploitable."

I'm not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control. — Matthew Green (@matthew_d_green) February 21, 2014

Aside from iOS, we noted that this also seems to be present in OS X Mavericks, however it seems to be only affecting SSL connections over IP addresses rather than domains. While this does lessen the extent of the vulnerability, it's still a glaring issue into the security of the platform, and there may be a way to bypass this restriction.

An example of the issue can be demonstrated with the following commands in terminal:

curl https://neowin.net/ would fail, however curl https://74.204.71.247/ would be successful.