Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X
from the we're-too-cool-for-details dept
Apple on Friday issued an update that fixed a rather severe vulnerability in their SSL/TLS implementation in iOS. In short, the flaw allowed any hacker the ability to intercept data during supposedly secure and encrypted transfers when using an iPhone, iPad or iPod Touch on a public network. Estimates suggest that the vulnerability was introduced in iOS 6.0 back in September 2012 (Apple was added as a PRISM partner in October 2012, utterly circumstantial but just sayin’). After some reverse engineering of the patch, people discovered it overhauled some fairly major portions of iOS.
The bigger problem is they discovered during that analysis it also impacts Apple laptops and desktops running Apple’s OS X (there’s a few of those out there). The original bug existed for some time before being detected, and at the moment there’s not only no fix in place for laptop and desktop users, but Apple hasn’t issued any statements warning customers that everything they do at the coffee shop is potentially exposed.
Apple’s only public comment was apparently to tell Reuters on Saturday that a fix was coming “very soon.” There’s a website that allows you to check whether the flaw has been fixed yet. Unsurprisingly, Apple is taking a lot of heat on numerous fronts for not doing more (read: anything) to help potentially impacted users:
“Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?”
Perhaps silence is sexier? iPhone and iPad users should obviously update their systems ASAP, and OS X users can supposedly protect themselves by using Chrome or Firefox and disabling background services (like Mail.app or iCloud) when wandering about on coffee shop Wi-Fi. Regardless, surely the NSA, other intelligence organizations, hackers and other n’er do wells looking to nab personal data greatly appreciate Apple’s dead silence on the issue.
Who drops an SSL/TLS 0day on users at 4pm on a Friday, then spends the weekend saying a fix will be released "very soon"? Apple.
— Runa A. Sandvik (@runasand) February 24, 2014