Apple is know for it’s amazing products. It’s products have great designs, great hardware and supposedly great security. Apple says it’s Mac OSX and Apple iOS are one of the world’s most secure operating systems. Then it’s ironic that one of the biggest security flaws was exposed in Apple’s iOS and Mac OSX. Although the fix for iOS was released in the form of iOS 7.0.6: Mac OSX’s security patch was delayed for more than 3 days.
Apple has finally released a bugfix version of OSX Mavericks and patches for previous versions Lion and Mountain Lion.
The security flaw is in Apple’s SecureTransport system which is used by Apple’s core apps like Safari, FaceTime, Mail, Calendar, etc.
At it’s core , the flaw is an SSL vulnerability. You know , whever you access a secure site, a little padlock appears to the side of it? That padlock means the site is encrypted by SSL. But Apple’s SecureTransport doesn’t properly check whether a site’s SSL certificate / key is legit or not. That means any site can pose a fake SSL key and get access to your data.
The flaw can be exploited only when you are on a public network, such as open WIFI. People can exploit the vulnerability and steal your data. Such an attack is known as “man in the middle” attack.
So, all the apps that use Apple’s SecureTransport layer can be spoofed by offering a fake key and as no one actually verifies the key, the person gets access to your data.
But for that, the person actually has to be able to monitor your internet traffic and should be able to provide a fake key to the apps. This can only be possible on public networks such as open WiFi.
Surprising, that such a glaring vulnerability was left unfixed for 3-4 days! An even more unsettling fact is that The Security flaw has been a part of iOS since iOS 6 and a part of Mac OS X since Mac OSX Lion!
Apple has released OSX Mavericks 10.9.2 which fixes the vulnerability and also adds new features to Facetime and iMessage services which allow you to make audio calls, use call waiting and also block messages from individual senders. It also fixes the bug of Mail not being able to connect to certain service providers and also improves SMB2 and VPN features.
For users running older OSX Lion and Mountain Lion, Apple has released bugfixes in the form of security updates.