Science

Apple security flaw: what you need to know

Apple has released mobile and Mac operating system updates to fix a critical security flaw, but some users could still be vulnerable to hackers attempting to intercept internet communications.

Company issues iOS, OS X fixes

Apple has plugged a hole in its code for mobile users, one that skipped the website authentication step. (Laura J. Gardner/Associated Press)

Apple has released mobile and Mac operating system updates to fix a critical security flaw, but some users could still be vulnerable to hackers attempting to intercept internet communications.

On Friday, the company released iOS 7.0.6 for the following:

iPhone 4 and later models, 5th-generation iPod touches, and iPad 2 and later. It's an update that includes software patches to fix what's been labelled the "gotofail" or SSL encryption bug.

On Tuesday, the company released a security update for its Mac operating system, which will patch flaws in:

  • The most recent versions, OS X Mavericks 10.9 and 10.9.1
  • The earlier versions OS X Lion v10.7.5, OS X Mountain Lion v10.8.5.

However, ZDNet security columnist Larry Seltzer noted that many vulnerabilities in the earlier operating systems, previously disclosed by Apple, remain unpatched.

Patches were also not issued for earlier versions of OS X, such as Snow Leopard v10.6, so users remain vulnerable unless they upgrade to a later version.

What is the security flaw?

The problem was making it possible for hackers to monitor the exchange of potentially sensitive communications. Apple worded it this way on one of its support websites:

"Impact: an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS and modify data."

Without the fix, a hacker could impersonate a protected site and sit in the middle — hence carrying out what's known as a man-in-the-middle attack — as email or financial data goes between the user and the real site.

The flaw is in the way the operating system provides the important services, known as secure sockets layer (SSL) or transport layer security (TLS). These two layers of security allow information to be transmitted worry-free between browsers and web servers, or between a mail server and mail client.

SSL is in the form of encryption, which scrambles data sent over a network to keep it private. The second layer involves verification that the server is authentic.

Will the fix last and what risk remains?

The updates fix the problems with iOS and later versions of OS X for now.

But industry researchers warn that hackers could soon find a way around both Friday's patch and similar fixes in future, prompting comparisons between Apple and Microsoft software, which historically has taken the lion's share of criticism over security flaws that could let hackers beat encryption.

According to Adam Langley, a senior software engineer at Google, writing for a blog on ImperialViolet.org, there's a "subtle bug deep in the code."

Langley says the flaw is the result of a single line of misplaced code that instructs apps to connect without first checking or verifying a website's security certificates.

Apple has not said when or how it learned about the flaw, nor has it said whether the flaw was being exploited. But some researchers say the problem has been around for weeks, or even months.

With files from Reuters