A major security flaw that can turn your device into a treasure trove of personal data has been revealed in Apple products using iOS and OSX. Apple publicly acknowledged the fault on Friday, but the severity of the issue has grown in the time since.
Slate is reporting that the problems lie with an Secure Socket Layer (SSL) vulnerability, a problem that Matthew Green at Johns Hopkins University is “as bad as you can imagine.” From 24/7 Wall St:
It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.
Given the severity of the potential damage, Apple has taken a low-key approach to notifying users of the harm to which they are exposed. The company has pushed a patch to iPhone users, but the company’s note says only, “This security update provides a fix for SSL connection verification,” and contains a link to a page on Apple’s support site. The update gives no sense of urgency about installing the patch.
The update from Apple seems to fix the issue, but you’re going to want to do that as soon as you get the chance. And have a little patience because even that doesn’t want to go as smoothly as it should. And even though no major attacks or issues have been announced to this point, you might want to update your passwords and keep an eye on your data.
The interesting note is that this is allegedly the security hole that allowed the NSA to access any iOS device, something that Apple is denying. Either way, it’s a bit embarrassing that a company could let something like this slip by for so long.
It’s funny how even the slightest mistake, like cutting and pasting code, can muck up an entire operation and put users at risk.
(Via Slate / ZD Net )