One of the presentations at the RSA Conference underway at the Moscone Center in San Francisco this week focused on the lifecycle of vulnerabilities and vendor pitfalls -- and Apple was the unfortunate star of the show.

The presentation by Yair Amit, CTO of mobile security Relevant Products/Services provider Skycure and its CEO Adi Sharabani offered details about a vulnerability the company found recently in iOS 8.

“One day, during preparation for a demonstration of a network-based attack Relevant Products/Services, we bought a new router. After setting the router in a specific configuration and connecting devices to it, our team witnessed the sudden crash of an iOS app,” Amit wrote in a blog post. “After a few moments, other people started to notice crashes. Pretty quickly, we realized that only iOS users were suffering from crashes.”

How Deep Does This Go?

Skycure dug deeper to discover this was more than a quality assurance issue. The research team analyzed the crashes and found the source of the problem: attackers can regenerate a bug and cause apps that perform SSL communication to crash any time they choose by generating specially crafted SSL certificates. The firm reported the issue to Apple.

“With our finding, we rushed to create a script that exploits the bug over a network interface,” Amit said. “As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide. We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service attack can lead to big losses.”

Skycure’s research revealed that the vulnerability actually affects the underlying iOS operating system. "With heavy use of devices exposed to the vulnerability, the operating system crashes as well," Amit said. Even worse, under certain conditions, the Skycure team managed to get devices into a repeatable reboot cycle, making them completely useless.

A Rough Month for Apple

We caught up with Lane Thames, a security researcher at advanced threat protection Relevant Products/Services firm Tripwire, to get his thoughts on the presentation. He told us it’s sad to see new SSL bugs surface, but called parsing bugs common.

“The security risk associated with this vulnerability is based on mobile devices, and iOS devices in particular, being easily fooled into connecting to unsafe Wi-Fi hotspots with little control available to the end user,” Thames said. “Physically avoiding and possibly running away from Wi-Fi hotspots should not be a mitigation technique for this vulnerability, but for some it might just be the only option."

Craig Young, security researcher at Tripwire, told us April has been a challenging month for Apple with respect to exploitable denial of service attacks. Beyond the Skycure report, Kaspersky reported earlier this month that a specially crafted IP datagram could cause various iOS and OS X systems to crash.

“This latest issue from Skycure is an SSL certificate parsing error capable of causing app crashes and even reboot loops as crafted certificates are parsed,” Young said. “It is also worth noting that the Kaspersky 'Darwin Nuke' finding can also be used to create a 'No iOS Zone' that appears to match the Skycure description, with the exception there appears to be more devices affected by this SSL parsing bug than the Darwin Nuke attack."