Apple vows to fix Mac SSL encryption bug 'very soon'

Apple vows to fix Mac SSL encryption bug 'very soon'

Summary: The iPhone and iPad maker issued a fix for its mobile devices on Friday, but left its desktop and notebook devices unpatched. But not for long, Apple says.

TOPICS: Apple, iOS, iPhone, iPad
(Image: CNET)

Apple said it will fix a bug "very soon" that allows hackers to spy on financial, email, and other personal data on its Mac desktop and notebook line-up.

The Cupertino, Calif.-based technology giant confirmed in an email to Reuters that it was aware of the issue and already has a software fix that will be released likely in the next few days.

The severity of the bug was significant enough for Apple to issue an iterative update to its more popular iOS 7 software — with the version 7.0.6, released on Friday — instead of waiting for a larger update as the company does with minor or insignificant design changes.

But its desktop and notebook range of Macs were left vulnerable to man-in-the-middle (MITM) attacks, which could allow a hacker to snoop and surveil sensitive data due to a bug in the security layer.

Such attacks would undermine the encryption between the user and a website, allowing financial or password data to be collected and used against the individual.

The bug, disclosed by security researchers shortly after the iOS update, drew suspicion from the hacker community for being a simple mistake.

Some believed either the bug was indicative of poor quality-assurance on Apple's part, or in the age of U.S. government surveillance disclosures perhaps as a result of infiltration or creating a deliberate weakness. 

Such similar attacks were reportedly used against Belgium's largest telecom provider, Belgacom, which was exploited by the U.S. National Security Agency (NSA) through faked LinkedIn and Slashdot pages.

The bug, which be pushed through OS X's automatic update facility, will likely be issued this week to address the issue. The flaw has been present for months, according to researchers who tested earlier versions of the desktop and notebook operating system.

Daring Fireball's John Gruber, an Apple expert and insider, questioned in a blog post on Saturday whether or not this had been exploited by the NSA. 

He suggested there was "purely circumstantial" evidence to suggest the NSA had access to secure data through the controversial leaked PRISM program, where by Apple was "added" in October 2012, just one week after iOS 6 — the first version of the mobile software that contained the bug. "But the shoe fits," he added.

According to Matthew Green, a cryptography teacher at Johns Hopkins University, he was "sure the Apple bug is unintentional," he wrote on Twitter on Friday. "But man, if you were trying to sneak a [vulnerability] into SSL, this would be it," he added.

ZDNet's testing showed that the pre-release version of iOS 7.1 (beta 5), which is expected to land in mid-March, contains the flaw, according to a website which tests whether or not the bug exists.

Topics: Apple, iOS, iPhone, iPad

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I bet if it was Windows

    You would not hear the end of it.
    • Just consider though

      All of the Macbooks that actually won't/can't get security updates to fix this because they're too old (even early Core 2 based ones) - apple's newest OS cut support.
      • There's nothing to consider

        Only Mavericks, the latest, has this vulnerability.
    • adacosta38 (aka; MS-MVP)

      You commented on the wrong article.

      See the above text; Topic: Apple, With big Letters: Apple vows to fix Mac SSL encryption bug 'very soon'

      Look and read the article and any links, before writing so quickly.
      • Whats your point?

        Posting MS MVP in your subject title is so immature. We all know Apple is not good at fixing bugs. They chose to prioritize iOS over OS X when they should have fixed both at the same time. Shows how much they care.
        • To the contrary

          Actually Apple is excellent at fixing bugs and have a very good bug reporting infrastructure for customers. There was an HDMI bug with Mavericks, which I reported and they released a fix for within a week. Microsoft has nothing like it.

          Having said that, this is a suspicious flaw in the system. Very bad on Apple's part.
    • No, it's Mac and we haven't heard the end of it

      Or are four articles in two days too few for your tastes?
      • Yes, as a matter of fact...

        Four articles in 2 days IS too few, especially for an OS which is widely touted as so secure one need not give consideration whatsoever to security.

        The reality is that this could have easily happened to any OS - Mac, Windows, Linux, Android, iOS or any others. But it should take some of the wind out of the sails of those who praise Apple for their inherent security.

        And as adacosta38 suggested, if a vulnerability of this magnitude was discovered in Windows, there would be literally dozens of articles lambasting it's flaws. But when it happens to the Mac, it does smack of hypocrisy when people start crying foul when just 4 articles mention it.
        • Baloney

          Over a weekend there would have been more than four articles? Zdnet doesn't even usually have that many articles over a weekend.
          • On the other hand...

            They managed a couple of po$itive articles on Samsung...
  • OS X Mountain Lion not affected....

    Apple have not indicated as to whether support for OS X Mountain Lion has been pulled or not.

    Furthermore for anyone still working with OS X Snow Leopard it is now imperative they use Google Chrome or Opera as their default browser.
  • Good to know.

    Good to know that "pretty soon" MacBook owners won't be subject to identity theft and to having their bank accounts emptied because they checked their account balance at a Starbucks.
  • I'll be back for you Ralph

    How soon? Very Soon!
  • iPhones used by the government

    iOS 6 was approved for US government for use. Was this bug present at the time of approval? How did it manage to pass the certification?

    Government spy on the government? Interesting.
  • Re: Earlier OS X releases not affected....

    It ironic the older seemingly unsupported OS X Mountain Lion is not affected by this bug.