Apple patches encryption flaw in iOS and OS X

Apple has quickly released a patch for a flaw in its encryption capability for the iOS mobile and OS X desktop operating systems which could allow attackers to unscramble protected iMessage photos and videos.

First reported by the Washington Post, a group of researchers led by cryptographer Matthew Green at John Hopkins University discovered they could intercept iMessage content stored in Apple's iCloud by brute-force guessing the encryption key.

With the encryption key at hand, attackers could retrieve files from iCloud accounts without users knowing.

Attackers would need to be able to bypass Apple’s TLS certificate pinning, which associates the iCloud server with expected digital credentials, to take advantage of the vulnerability, the company said. It also said that to read attachments, attackers needed to be able to intercept TLS protected connections, inject and record encrypted attachment-type messages.

The company was last forced to strengthen iCloud security in 2014, after several celebrities had their iCloud accounts hacked and personal photos taken.

Apple has now released iOS 9.3 with a patch for the iMessage flaw, as well as the 10.11.4 version of the OS X desktop operating system.

In total, 38 security flaws are patched in iOS 9.3, which is now available over the air for iDevices.

New features in iOS 9.3 announced at today's Apple product launch event include Night Shift, which automatically adjusts device backlighting depending on time and location to be easier on users' eyes in the dark.

The update also brings in Touch ID fingerprint authentication for the Notes application, and updates for the News and Health apps, as well as Apple Music.