Apple vows to fix Mac SSL encryption bug 'very soon'

The iPhone and iPad maker issued a fix for its mobile devices on Friday, but left its desktop and notebook devices unpatched. But not for long, Apple says.
Written by Zack Whittaker, Contributor
Image: CNET

Apple said it will fix a bug "very soon" that allows hackers to spy on financial, email, and other personal data on its Mac desktop and notebook line-up.

The Cupertino, Calif.-based technology giant confirmed in an email to Reuters that it was aware of the issue and already has a software fix that will be released likely in the next few days.

The severity of the bug was significant enough for Apple to issue an iterative update to its more popular iOS 7 software — with the version 7.0.6, released on Friday — instead of waiting for a larger update as the company does with minor or insignificant design changes.

But its desktop and notebook range of Macs were left vulnerable to man-in-the-middle (MITM) attacks, which could allow a hacker to snoop and surveil sensitive data due to a bug in the security layer.

Such attacks would undermine the encryption between the user and a website, allowing financial or password data to be collected and used against the individual.

The bug, disclosed by security researchers shortly after the iOS update, drew suspicion from the hacker community for being a simple mistake.

Some believed either the bug was indicative of poor quality-assurance on Apple's part, or in the age of U.S. government surveillance disclosures perhaps as a result of infiltration or creating a deliberate weakness. 

Such similar attacks were reportedly used against Belgium's largest telecom provider, Belgacom, which was exploited by the U.S. National Security Agency (NSA) through faked LinkedIn and Slashdot pages.

The bug, which be pushed through OS X's automatic update facility, will likely be issued this week to address the issue. The flaw has been present for months, according to researchers who tested earlier versions of the desktop and notebook operating system.

Daring Fireball's John Gruber, an Apple expert and insider, questioned in a blog post on Saturday whether or not this had been exploited by the NSA. 

He suggested there was "purely circumstantial" evidence to suggest the NSA had access to secure data through the controversial leaked PRISM program, where by Apple was "added" in October 2012, just one week after iOS 6 — the first version of the mobile software that contained the bug. "But the shoe fits," he added.

According to Matthew Green, a cryptography teacher at Johns Hopkins University, he was "sure the Apple bug is unintentional," he wrote on Twitter on Friday. "But man, if you were trying to sneak a [vulnerability] into SSL, this would be it," he added.

ZDNet's testing showed that the pre-release version of iOS 7.1 (beta 5), which is expected to land in mid-March, contains the flaw, according to a website which tests whether or not the bug exists.

Editorial standards