Apple on Friday quietly pushed out an update for its mobile devices to fix a major security flaw that could allow attackers to intercept encrypted email and other data. Experts warn that Mac desktops and laptops are still at risk.
The flaw, which relates to how iOS 7 validates the SSL certificates intended to protect websites, could let an attacker on the same network as a victim eavesdrop on all user activity. Apple did not reveal too much information about the problem, though experts who have studied the bug said hackers could launch so-called man in the middle attacks to intercept messages as they pass from a user’s device to sites like Gmail, Facebook, or even online banking.
“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said in its advisory.
As PCMag’s Security Watch blog noted, SSL certificate validation is “critical” for establishing secure sessions with websites.
“By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker,” PCMag’s Fahmida Rashid wrote. “The user’s browser also relies on the certificate to verify the response came from the bank’s servers and not from an attacker sitting in the middle and intercepting sensitive communications.”
A patch is available for the iPhone 4 and newer Apple smartphones, as well as the iPod touch (5th generation), iPad 2, 3, and Air. Those who have not already installed the update should do so immediately.
But the problem doesn’t end there. The same flaw also affects the latest version of Apple’s Mac OS X desktop software, which has several applications like Safari that rely on the faulty SSL/TLS library, called SecureTransport, Adam Langley, a senior engineer at Google, wrote in a blog post. At this point, OS X has not yet been patched, though a fix is expected soon and users should install it as soon as it’s available.
While waiting for the patch, there are a few ways to stay safe. For starters, avoid connecting to other people’s Wi-Fi networks, even if they are password-protected, Paul Ducklin, head of technology at security firm Sophos, wrote in a blog post Monday. If you are using a Mac for business, consider asking your employer to set you up as part of the company’s VPN if they have one.
It’s also a good idea to use alternative browsers like Firefox or Chrome until the patch is out. These browsers use their own SSL/TLS libraries, thereby “immunizing them against the bug in Apple’s SecureTransport library,” Ducklin wrote. Once the fix is available, it will be safe to switch back to Safari.