On Friday Apple announced a fix to a security bug in its iOS 7 system. Saturday Web security experts have parsed the patch to figure out what exactly the problem was… And apparently it’s a doozy.
Wired has all of the gory details:
“[The] terse description in Apple’s announcement yesterday had some of the internet’s top crypto experts wondering aloud about the exact nature of the bug. Then, as they began learning the details privately, they retreated into what might be described as stunned silence. “Ok, I know what the Apple bug is,” tweeted Matthew Green, a cryptography professor at Johns Hopkins. “And it is bad. Really bad.”
The culprit of what may be one of Apple’s biggest security snafus is an extra “goto” in one part of the authentication code, Wired reported. That spurious line of code bypasses the rest of the authentication protocols.
The bug could could allow hackers to intercept email and other communications that are meant to be encrypted, according to a Reuters report which was issued late on Friday night.
[Update: Apple spokesperson Trudy Muller sent us this comment about the continuing vulnerability in macs. "We are aware of this issue and already have a software fix that will be released very soon." (i.e. iOS 6 and 7 have been patched, OS X 1.9 is the first version to exhibit the vulnerability and is not currently patched, but will be soon. Until then, don't connect to any public wifi with your OS X 10.9 Macs.)]
As ZDNet’s contributing editor Larry Seltzer wrote:
Make no mistake about it, this is a very serious bug. The bug makes it fairly straightforward to intercept and decrypt SSL/TLS communications, probably the most important security protocol there is today.
Here’re more details, on the patch from ZDNet.
Photo via Flickr user aditza121