On Friday, Apple pushed out iOS 7.0.6 and iOS 6.1.6, updates that addressed a critical SSL security issue. Those two patches cover hundreds of millions of iPhone, iPad and iPod touch users, the vast majority of Apple’s customers. For the rest of us, Apple is promising a Mac security fix “very soon.”
There was a fundamental issue with how Apple’s ubiquitous mobile devices handle SSL certificates, which has been fixed. However, the very same flaw also exists in the company’s OS X desktop operating system.
“We are aware of this issue and already have a software fix that will be released very soon,” Apple spokeswoman Trudy Muller told Reuters.
Whether you call it a hole or backdoor, Mac security is fundamentally compromised.
The problem lies in the way the software recognizes the digital certificates used by banking sites, Google’s Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site — Reuters.
To computer experts, the underlying issue is “just a mistake.” However, with the ongoing furor over NSA spying and data collection, the conspiracy theorists are having a field day.
Mac Security: NSA’s Fingerprints?
The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated that it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said that the best “back doors” often look like mistakes — Reuters
Sigh. These days, the conspiracy theorists look sane compared to the NSA deniers and apologists.
Previously, Tapscape reported on the NSA’s “dropoutjeep” toolkit, which supposedly allowed the American spy agency to hack any iPhone. The above SSL certificate issue could be the backdoor they used to compromise both iOS and Mac security.
And, well, as far as anyone can tell, Apple’s fixed the SSL certificate issue in iOS. Now, we’re left waiting for the Mac security patch for OS X…
What’s your take?