Confirming researchers' findings late Friday that a major security
flaw in iPhones and iPads also appears in notebook and desktop
machines running Mac OS X, Apple spokeswoman Trudy Muller told
Reuters: "We are aware of this issue and already have a software fix
that will be released very soon."
Apple released a fix Friday afternoon for the mobile devices running
iOS, and most will update automatically. Once that fix came out,
experts dissected it and saw the same fundamental issue in the
operating system for Apple's mainstream computers.
That started a race, as intelligence agencies and criminals will try
to write programs that take advantage of the flaw on Macs before
Apple pushes out the fix for them.
The flaw is so odd in retrospect that researchers faulted Apple for
inadequate testing and some speculated that it had been introduced
deliberately, either by a rogue engineer or a spy. Former
intelligence operatives said that the best "back doors" often look
Muller declined to address the theories.
"It's as bad as you could imagine, that's all I can say," said Johns
Hopkins University cryptography professor Matthew Green.
Adam Langley, who deals with similar programming issues as a Google
engineer, wrote on his personal blog that the flaw might not have
shown up without elaborate testing.
"I believe that it's just a mistake and I feel very bad for whomever
might have slipped," he wrote.
The problem lies in the way the software recognizes the digital
certificates used by banking sites, Google's Gmail service, Facebook
and others to establish encrypted connections. A single line in the
program and an omitted bracket meant that those certificates were
not authenticated at all, so that hackers can impersonate the
website being sought and capture all the electronic traffic before
passing it along to the real site.
[to top of second column]
In addition to intercepting data, hackers could insert malicious web
links in real emails, winning full control of the target computer.
The intruders do need to have access to the victim's network, either
through a relationship with the telecom carrier or through a WiFi
wireless setup common in public places. Industry veterans warned
users to avoid unsecured WiFi until the software patch is available
The bug has been present for months, according to researchers who
tested earlier versions of Apple's software. No one had publicly
reported it before, which means that any knowledge of it was tightly
held and that there is a chance it hadn't been used.
But documents leaked by former U.S. intelligence contractor Edward
Snowden showed agents boasting that they could break into any iPhone,
and that hadn't been public knowledge either.
Apple did not say when or how it learned about the flaw in the way
iOS and Mac OS handle sessions in what are known as secure sockets
layer or transport layer security. Those are shown to users by the
website prefix "https" and the symbol of a padlock.
The issue is a "fundamental bug in Apple's SSL implementation," said
Dmitri Alperovitch, chief technology officer at security firm
(Editing by James Dalgleish)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.