cbc.ca (© Copyright: (C) Canadian Broadcasting Corporation, http://www.cbc.ca/aboutcbc/discover/termsofuse.html#Rss)
Updated: Mon, 24 Feb 2014 12:05:13 GMT | By CBC News, cbc.ca

Apple security flaw: what you need to know



The Apple iPhone is displayed at the Verizon Wireless store in Fort Wayne, Indiana. Laura J. Gardner/Associated Press

The Apple iPhone is displayed at the Verizon Wireless store in Fort Wayne, Indiana. Laura J. Gardner/Associated Press

Apple has released a mobile operating system update to fix a critical security flaw, but many users could still be vulnerable to hackers attempting to intercept internet communications.

On Friday, the company released iOS 7.0.6 for the following:

iPhone 4 and later models, 5th-generation iPod touches, and iPad 2 and later. It's an update that includes software patches to fix what's been labelled the "gotofail" or SSL encryption bug.

What is the security flaw?

The problem was making it possible for hackers to monitor the exchange of potentially sensitive communications. Apple worded it this way on one of its support websites:

"Impact: an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS and modify data."

Without the fix, a hacker could impersonate a protected site and sit in the middle — hence carrying out what's known as a man-in-the-middle attack — as email or financial data goes between the user and the real site.

The flaw is in the way iOS provides the important services, known as secure sockets layer (SSL) or transport layer security (TLS). These two layers of security allow information to be transmitted worry-free between browsers and web servers, or between a mail server and mail client.

SSL is in the form of encryption, which scrambles data sent over a network to keep it private. The second layer involves verification that the server is authentic.

Will the fix last and what risk remains?

The iOS update fixes the problems with mobile, but the current OS X 10.9.1 for Mac desktop and laptop computers is still open to attack, experts say.

Industry researchers even warn that hackers could very soon find a way around both Friday's patch and similar fixes in future, prompting comparisons between Apple and Microsoft software, which historically has taken the lion's share of criticism over security flaws that could let hackers beat encryption.

According to Adam Langley, a senior software engineer at Google, writing for a blog on ImperialViolet.org, there's a "subtle bug deep in the code."

Langley says the flaw is the result of a single line of misplaced code that instructs apps to connect without first checking or verifying a website's security certificates.

Apple has not said when or how it learned about the flaw, nor has it said whether the flaw was being exploited. But some researchers say the problem has been around for weeks, or even months.

Apple has told Reuters it will be offering a fix for the OS X 10.9.1 encryption flaw within days.

How can OS X users protect themselves?

Until the California-based company can fully clamp down on the flaw, industry experts are advising people using a Macintosh laptop running OS X 10.9.1 to avoid connecting to public WiFi, as you would at the library, airport or coffee shop.

Those same users should also avoid using the default Apple browser (Safari) and email client (Mail.app), according to technology researcher Ashkan Soltani. Both use the company's SSL/TTL implementation.

However, if there's no way around using public WiFi, a VPN account should reduce the risk, according to the Mac Observer website.

Among other vulnerable apps and services are iMessage, iBooks, and Facetime, as well as Apple's software update mechanism, so those, too, should be avoided for now

more video