Apple promises fix "very soon" for Macs with failed encryption

SAN FRANCISCO Sun Feb 23, 2014 8:43am IST

Apple Inc CEO Tim Cook speaks about their new Mac Book computers during an Apple event in San Francisco, California October 22, 2013. REUTERS/Robert Galbraith/Files

Apple Inc CEO Tim Cook speaks about their new Mac Book computers during an Apple event in San Francisco, California October 22, 2013.

Credit: Reuters/Robert Galbraith/Files

Related Topics

Stocks

   

SAN FRANCISCO (Reuters) - Apple Inc (AAPL.O) said on Saturday it would issue a software update "very soon" to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.

Confirming researchers' findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: "We are aware of this issue and already have a software fix that will be released very soon."

Apple released a fix Friday afternoon for the mobile devices running iOS, and most will update automatically. Once that fix came out, experts dissected it and saw the same fundamental issue in the operating system for Apple's mainstream computers.

That started a race, as intelligence agencies and criminals will try to write programs that take advantage of the flaw on Macs before Apple pushes out the fix for them.

The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated that it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said that the best "back doors" often look like mistakes.

Muller declined to address the theories.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Adam Langley, who deals with similar programming issues as a Google (GOOG.O) engineer, wrote on his personal blog that the flaw might not have shown up without elaborate testing.

"I believe that it's just a mistake and I feel very bad for whomever might have slipped," he wrote.

The problem lies in the way the software recognizes the digital certificates used by banking sites, Google's Gmail service, Facebook (FB.O) and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.

In addition to intercepting data, hackers could insert malicious web links in real emails, winning full control of the target computer.

The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.

The bug has been present for months, according to researchers who tested earlier versions of Apple's software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it hadn't been used.

But documents leaked by former U.S. intelligence contractor Edward Snowden showed agents boasting that they could break into any iPhone, and that hadn't been public knowledge either.

Apple did not say when or how it learned about the flaw in the way iOS and Mac OS handle sessions in what are known as secure sockets layer or transport layer security. Those are shown to users by the website prefix "https" and the symbol of a padlock.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovitch, chief technology officer at security firm CrowdStrike Inc.

(Editing by James Dalgleish)

FILED UNDER:
Photo

After wave of QE, onus shifts to leaders to boost economy

DAVOS, Switzerland - Central banks have done their best to rescue the world economy by printing money and politicians must now act fast to enact structural reforms and pro-investment policies to boost growth, central bankers said on Saturday.

TECH WRAP

Reuters Showcase

Photo

Vodafone Tax Case

India's Vodafone decision eases tax worries for Shell, others  Full Article 

Facebook Earnings

Facebook Earnings

Facebook tops Wall Street revenue target in 4th quarter.  Full Article 

Japanese Hostage

Japanese Hostage

Islamic State said to set new deadline for hostage swap  Full Article 

Cricket World Cup

Cricket World Cup

Batting holds key for team India in World Cup  Full Article 

Photo

Australian Open

Serena fends off Keys to book blockbuster Sharapova final   Full Article | Related Story 

Road To Development

Road To Development

Build better roads in developing world to bolster food supplies - study  Full Article 

Photo

Laser Pioneer Dies

Laser's co-inventor, Nobel laureate Charles Townes, dead at 99  Full Article 

New ODI Record

New ODI Record

Sri Lanka's Sangakkara breaks ODI record for dismissals  Full Article 

Rohingya Muslims

Rohingya Muslims

Rohingya refugees say traffickers in Malaysia abuse and kill.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device  Full Coverage