Apple promises SSL snooping fix for Mac OS X 10.9 users ‘very soon’
Apple has admitted a bug in Mac OS X 10.9.1 could allow hackers to intercept and decrypt users’ SSL-encrypted connections – and has vowed to release a fix “very soon.”
The Cupertino giant issued updates for versions 7 and 6 of its mobile operating system iOS on Friday to address the same flaw in iDevices.
But it quickly became apparent that the vulnerability also exists in desktop and laptop computers running Mac OS X Mavericks, the latest public release of Apple’s desktop OS.
The security hole was created by a trivial programming cock-up, which causes Apple’s SSL/TLS library to skip over vital verification checks of a server’s authenticity when establishing a connection.
A malicious router, Wi-Fi access point or similar system could exploit this to silently masquerade as a legit website or online service, and thus read and tamper with the private contents of a victim’s supposedly secure connection.
Apple’s Safari web browser running on OS X 10.9.1 is vulnerable to SSL snoopers because it relies on the broken crypto-library; other Cupertino apps such as Mail, Messages, iTunes and iCloud are feared to be faulty as well. Essentially, a hacker could attempt to exploit this week’s bug to ambush a network connection and steal credit card numbers, hijack banking and email accounts, and so on.
“We are aware of this issue and already have a software fix that will be released very soon,” Apple spokeswoman Trudy Muller told Reuters.
Meanwhile, someone’s set up a website called gotofail.com, a reference to the C code bug at the heart of the problem, so that users can check whether their web browsers running on OS X 10.9.1 are vulnerable. ®