On Sunday, February 23, Andy Greenberg of Forbes reported that a security bug that affects many Apple computers and mobile devices could leave people vulnerable to hackers when they use Twitter, Mail and other popular apps.
According to Greenberg, "First, Apple revealed a critical bug in its implementation of encryption in iOS, requiring an emergency patch. Then researchers found the same bug is also included in Apple’s desktop OSX operating system, a gaping Web security hole that leaves users of Safari at risk of having their traffic hijacked. Now one researcher has found evidence that the bug extends beyond Apple's browser to other applications including Mail, Twitter, FaceTime, iMessage and even Apple's software update mechanism.
"On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he's determined use Apple's 'secure transport' framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL."
Greenberg pointed out that the list might not include everything that is affected by the bug because Soltani only analyzed the programs on his own computer. Having said that, Soltani identified at least eight popular programs that will be vulnerable to attack unless Apple users download a security update that was released on Friday, February 21 that fixes the bug.
According to Greenberg, "Soltani, an independent researcher whose recent work has included analyzing the surveillance documents leaked by NSA contractor Edward Snowden on behalf of the Washington Post, warns that the security of several applications on that list are severely compromised, including Apple's email program Mail, scheduling app Calendar and the its official Twitter desktop client.
"The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavesdropper to fake that verification and hijack or corrupt traffic using what's known as a 'man-in-the-middle' attack. 'All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,' Soltani says."
According to Poulsen, "Apple released iOS 7.0.6 [Friday, February 21] to patch the bug in its implementation of SSL encryption — the Internet's standard defense against eavesdropping and web hijacking. The bug essentially means that when you're e-mailing, tweeting, using Facebook or checking your bank account from a shared network, like a public WiFi or anything tapped by the NSA, an attacker could be listening in, or even maliciously modifying what goes to your iPhone or iPad."
The new iOS update protects many Apple mobile devices from the bug. Desktop computers and laptops may still be vulnerable. Greenberg reported that an update for OS X 10.9.1. should be available "very soon."
According to Poulsen, "The issue... is indeed fixed in the new iOS 7.0.6 (which you should install, if you’re using iOS 7.) An update to iOS 6 pushed [Friday] fixes the bug there as well. Reportedly, OS X 10.9.1 is still affected by the vulnerability."
Poulsen's reference to the NSA was probably an allusion to all the rumors that have been circulating among computer experts that the bug was a deliberate attempt by the government to spy on Apple users
Chris O'Brien of the Los Angeles Times gave an overview of what people have been saying about the bug on Sunday, February 23.
According to O'Brien, "... others wondered whether the code was a deliberate attempt to create a backdoor for government spy agencies. They pointed to the fact that some researchers have discovered that the bug first appeared in a version of iOS 6 at about the same time that slides released by Edward Snowden indicate that the National Security Agency claimed it had established a backdoor into some products by Apple.
"'It’s purely circumstantial,' wrote noted Apple follower John Gruber who writes the Daring Fireball blog. 'But the shoe fits.'
"Apple, as have other tech companies named by Snowden, has repeatedly denied that it has created any kind of backdoor into its products for U.S. government spy agencies."
O'Brien went on to say that other experts think the bug was simply an honest coding mistake.
According to O'Brien, "... several critics said the concerns over the gotofail bug were overblown. And they noted that cybersecurity experts have routinely detected far more security holes in Google's Android operating system."
Whether the bug was created by accident or deliberately, Apple users in the greater Spokane area should download the mobile security updates as soon as possible. O'Brien added that experts recommend not using Apple's Safari web browser until the bug is patched on their devices.