The security firm CrowdStrike, one of the first to release information on the patch, said that the bug in Apple’s system leaves devices open to hackers by letting them bypass the verification that Web sites use to encrypt sensitive information, called SSL/TLS. It’s used by financial sites, e-mail providers and social networks, among others, to keep information that passes from users’ browsers to company servers private. The bug makes it easy for bad actors to create fake Web sites that look like sites users trust and visit every day and to grab the information that the unaware users send to those companies.
What should I do?: All you iOS users should go to your Settings menu to update your system through the “General” submenu. Right now.
This is the kind of update that should not be ignored, and it doesn’t take long to install. Apple has pushed out updates for iOS 7 users, as well as for iOS 6 users who’ve been wary to make the jump to the firm’s newest system. The firm has also released an update for Apple TV.
If you have a Mac, you’ll have to sit tight until Apple releases the update, at which point you should update your system without delay. (There are some fixes that independent researchers have released out there, but they require quite a bit of technical knowledge.)
Until then, stay away from untrusted networks such as open WiFi networks at airports and coffee shops — these are the kind of networks you should avoid anyway. CrowdStrike also recommends that users turn off the “Ask to Join Networks” setting on their unpatched mobile devices and computers to keep you from joining those networks by accident.
How did this happen?: Apple is staying pretty tight-lipped about the whole thing, citing company policy not to discuss ongoing internal investigations.
A variety of security experts, however, have said that the problem lies with a duplicated line of code. According to Google engineer Adam Langley, that means that the verification will never fail, or that there’s nothing to keep imposters from directing users to fake Web sites that look secure.
“This sort of subtle bug deep in the code is a nightmare. I believe that it's just a mistake, and I feel very bad for whomever might have slipped in an editor and created it,” Langley said.
Some security experts have said this shows that Apple has been lax about checking its code for problems, and some have chided the company for not reporting or fixing the problem sooner.
Others have suggested that this may be the bug revealed in links made by former National Security Agency contractor Edward Snowden that the agency used to gain access to iPhones.
Apple declined to provide any additional information on the bug.