The IT Nerd

Last week, Apple released an update to iOS 6 and iOS 7, as well as the version of iOS inside the AppleTV to fix a bug with its SSL implementation, which would allow a evil doer on the same local network as your computer to intercept sensitive information as you browse the Web, send or receive mail, or many other things that use SSL. Well, some digging indicates that OS X has the same bug and so far it is unpatched. Here are the details from the National Vulnerability Database for your review. If that’s a bit too technical for you, here’s something that is a bit more down to Earth:

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

In addition to intercepting data, hackers could insert malicious web links in real emails, winning full control of the target computer.

The intruders do need to have access to the victim’s network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.

Apple has promised that a fix is on the way, but it is yet another example of how Apple isn’t taking security very seriously as this is just the latest example of Apple failing on that front.

This entry was posted on February 24, 2014 at 4:22 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.