Apple promises to fix OS X encryption flaw ‘very soon’
The iPhone and iPad maker on Friday issued a fix for its mobile devices, but left its Mac lineup unpatched. But not for long, Apple says.
Apple said it will fix a bug “very soon” that allows hackers to spy on financial, e-mail, and other personal data on computers from its Mac desktop and notebook lineup.
The Cupertino, Calif.-based technology giant confirmed in an e-mail to Reuters that it was aware of the issue and already has a software fix that will be released likely in the next few days.
The severity of the bug was significant enough for Apple to issue an iterative update to its more popular iOS 7 software — version 7.0.6, released on Friday — instead of waiting for a larger update as the company does with minor or insignificant design changes.
But its desktop and notebook range of Macs was left vulnerable to man-in-the-middle (MITM) attacks, which could allow a hacker to snoop and surveil sensitive data due to a bug in the security layer.
Such attacks would undermine the encryption between the user and a Web site, allowing financial or password data to be collected and used against the individual.
The bug, disclosed by security researchers shortly after the iOS update, drew suspicion from the hacker community for being a simple mistake.
Some believed the bug was either indicative of poor quality assurance on Apple’s part, or in the age of US government surveillance disclosures perhaps a result of infiltration or creating a deliberate weakness.
Similar attacks were reportedly used against Belgium’s largest telecom provider, Belgacom, which was exploited by the US National Security Agency (NSA) through faked LinkedIn and Slashdot pages.
The bug fix, which will be pushed through OS X’s automatic update facility, will likely be issued this week to address the issue. The flaw has been present for months, according to researchers who tested earlier versions of the desktop and notebook operating system.
Daring Fireball’s John Gruber, an Apple expert and insider, questioned in a blog post on Saturday whether or not this had been exploited by the NSA.
He suggested there was “purely circumstantial” evidence to suggest the NSA had access to secure data through the controversial leaked PRISM program, to which Apple was “added” in October 2012, just one week after iOS 6 — the first version of the mobile software that contained the bug. “But the shoe fits,” he added.
Matthew Green, a cryptography teacher at Johns Hopkins University, is “sure the Apple bug is unintentional,” he wrote on Twitter on Friday. “But man, if you were trying to sneak a [vulnerability] into SSL, this would be it,” he added.