Over the weekend you may have heard some stuff about Apple software and a vulnerability that would allow hackers to see into your online soul. You may have been concerned. You may have questioned whether it was safe to do online banking at home from your MacBook Air. Or you may have been totally oblivious because news/the world does not exist on the weekend. Both are reasonable! But now it’s Monday so it’s time to get down to business and study up … instead of working.
This seems scary. What’s happening?
On Friday night (a favorite time to release bad news masquerading as benign news), Apple released iOS 7.0.6. The posting noted, “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred.” But the update explained, “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. … This issue was addressed by restoring missing validation steps.” What they’re trying to say is that validation steps for a standard encryption method weren’t happening, so the encryption wasn’t secure and people might have been able to see in. Put even more simply: bad things.
The encryption process in question here is Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Both work to encrypt the communication between a browser, like Apple’s Safari, and the servers that drive websites. People often describe this type of encryption as a “digital handshake,” where both sides meet and swap verification keys as a quick trust check. In this case with iOS, a mistake in the code was causing the encryption to skip a bunch of verifications if an initial test was successful, which it pretty much always would be. This meant that your browser would think it had a secure connection even though it really could be communicating with any server, including a malicious one.
Great, now this seems even scarier. What should I do?
You should update the software on your iDevices right now. Don’t wait. Apple’s 7.0.6 update is a patch that resurrects the steps in the SSL/TLS verification system that have been missing. It prevents you from being vulnerable to the type of attack hackers could use to peer into your digital life. They’re called “man in the middle” attacks, and they basically route you through a malicious server for surveillance on your way to the site you wanted, like your bank’s website. That way the hackers can see everything you’re doing and collect the data over time if they want to.
You can tell that this vulnerability is serious because Apple released an iOS 6 update called 6.1.6 that will fix the flaw for people using iDevices that are too old to upgrade to iOS 7. Those are devices Apple wants people to replace, running an operating system Apple is trying to phase out. And it’s still getting this fix. That means this is a very real threat.
The issue right now is that Macs running OS X are affected as well, and Apple hasn’t released a fix yet. Spokesperson Trudy Muller told Reuters on Saturday, “We are aware of this issue and already have a software fix that will be released very soon.” When it does arrive, you should download that update on all of the iMacs and assorted MacBooks you can. And tell your friends.
And in the meantime?
Once you’ve updated your iDevices, you’ll be good to go on those. On your Mac you should start browsing with Chrome, Firefox, or another third-party browser if you don’t already. Avoid Safari because it is known to be compromised. As Forbes reports, other apps like iMessage, Apple’s Twitter client, Mail, Facetime, iCal, and more may be affected. Try to do everything you can in a non-Safari browser or on an updated iDevice, and use secure networks (your home Internet, not the free Wi-Fi at Starbucks) until a patch comes out.
Maybe I don’t want to know, but how long has this been going on?
Yeah, you don’t want to know. This vulnerability has apparently existed since iOS 6, which was released in September 2012. So about 18 months. Additionally, Apple reserved the Common Vulnerabilites and Exposures code (a public index of vulnerabilities) for this security flaw on Jan. 8. It’s not clear what the company knew when, but that was almost seven weeks ago.
This is just depressing. Are we done now?
Yes. Oh, one more thing. Today is Steve Jobs’ birthday.