A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.
The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).
Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.
Unfortunately, Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod touch, or Mac computer is affected by the major, and somewhat shocking, flaw.
The vulnerability allows anyone with a certificate signed by a "trusted CA" to do a man-in-the-middle (MITM) attack.
A man-in-the-middle attack seamlessly intercepts communication — and more, like unencrypted passwords — between yourself and your intended recipient or website, and according to OWASP, "the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication."
A malicious entity could also impersonate a trusted website to install malware or steal valuable data, such as in September when Belgium's largest telecom provider Belgacom was hacked and exploited via fake LinkedIn and Slashdot pages.
There is speculation that this vulnerability, coupled with automatic updates over SSL, may have been one of the ways that the NSA could access "any iOS device" — a claim made in leaked Snowden-NSA documents, one that Apple vehemently denied.
Today's show was brought to you by Apple, SecureTransport, and the letters SSL. Oh wait, the letters SSL didn't actually do anything.