Apple has a history of ignoring security flaws while its users suffer. The last major time that happened was with the Flashback virus: a simple exploit that was fixed in hours by Microsoft and other major operating system makers. Apple, however, took months to fix it, which caused hundreds of thousands of users to experience devastating attacks.
A similar case occurred this past week. The exploit was discovered on both major Apple operating systems: Mac OS X and iOS 7. Although Apple recently fixed both flaws, it’s disturbing how long it took for them to do it – and how exposed they left users during this period.
How the flaw worked
This latest flaw exploited a problem in the Secure Sockets Layer (SSL), which is a platform that helps your browser communicate with the websites you visit. SSL not only facilitates communication, but also helps that communication remain private to all about the website and the user.
When there’s a problem with SSL, it’s really bad for user security. This latest exploit involved Safari and allowed malicious websites to masquerade as good websites in an attempt to steal your information.
Imagine there are two people in a room: you and Gmail. You’re facing Gmail. You reach out to shake his hand, but before you can shake his hand, a third man walks into the room and walks in between you. He says he is Gmail and he confidently reaches out to shake your hand first. You shake his hand and begin with your business transaction. This is called a Middle Man exploit and it helps bad people disguise themselves as good ones in an effort to steal your information.
The full nature of this bug was not widely known. It was discovered and known by a small group of security researchers who refused to divulge important details about it. These researchers did, however, suspect that malicious third parties already knew about the bug:
Dear everyone: do *not* use Safari until Apple patches their SSL code in Mac OS X. Man-in-the-middle exploits are already in the wild.
— Nick Sullivan (@grittygrease) February 22, 2014
I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
So yes, the issue was incredibly serious. It affected not just Safari: it also affected the Apple Mail app, the iCal, and almost every other service on iPhone and Macs.
Basically, it allowed anyone on a public network to view your secure transmissions. If you were in a coffee shop, for example, on your iPhone, someone could have intercepted your data and stolen your information. The scariest part about this flaw was how easy they could have done it once the flaw was discovered.
Apple finally released a fix for the problem a few days after it was widely reported and discovered. While the iOS fix came relatively quickly, the Mac OS fix didn’t arrive until February 25 – something for which Apple has taken a lot of criticism.
Will it affect you?
The problem has already been fixed by Apple. If you updated your iOS or Mac OS device sometime after February 25, then you’re okay.
More exploits already discovered
According to some reports, the SSL flaw isn’t the only problem. Another exploit was discovered just hours after Apple patched the SSL exploit. According to FireEye, a network security company, Apple’s app store has a major security flaw that lets malicious app developers track keystrokes.
FireEye claims that they were recently able to upload a malicious app onto the app store. This app was able to turn on a background process that tracked all keystrokes made by users.
FireEye is reportedly working closely with Apple on this issue. However, if history has taught us anything, it’s that knowing about a flaw and actively fixing it are two completely different things for Apple.