Apple bug leaves devices vulnerable to hackers
If you own an Apple device running on iOS 7, you may need to take a minute over the weekend to install an important security update released by the company on Friday.
Vulnerable devices include the iPhone 4 and later, iPod touch, and iPad 2 and later. Security researchers found the bug also occurs on Mac OS X running on Apple laptops and desktops.
Reuters reports the bug could allow attackers to intercept your email, bank account data and other information if they can gain access to a shared network, like a public Wi-Fi connection.
Dmitri Alperovitch, chief technology officer at security firm CrowdStrike Inc., joins me for a Google+ Hangout about the iOS7 bug.
Apple quietly released the security update accompanied by a short post on its website indicating there was a need to fix a bug in the operating system’s SSL — or the common method of defense against spying or unwanted attacks on the internet.
In the statement on its website, Apple said the software “failed to validate the authenticity of the connection.”
“This sort of subtle bug deep in the code is a nightmare,” Adam Langley, a web encryption expert at Google, wrote on his blog.
“I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”
Langley analyzed the problem and said he found that Apple’s security update, known as a patch, solved the bug.
But if a user does not download the patch they could be vulnerable to attacks, especially as the news gains traction on websites like Hacker News.
Matthew Green, cryptography professor at Johns Hopkins University, tweeted about the severity of the iOS 7 issue:
I'm not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
Apple spokeswoman Trudy Muller told Reuters on Saturday that the company knew about the issue and was working to develop a software fix for these devices.
Apple has not released information about whether the flaw is already being exploited by hackers. The company also did not provide details about how it learned of the problem.