Apple’s security bug: What to know about it and what to do about it


Bloomberg Photo Service 'Best of the Week': The Apple Inc. logo is seen in the window of a store in New York, U.S., on Thursday, Jan. 23, 2014. (Ron Antonelli/Bloomberg)

Apple users, it’s time for some updates. Last Friday, the tech giant took the unusual step of releasing an update for its mobile operating system, iOS, to fix one bug — one that left Apple devices wide open to hackers and spies looking to grab users’ most sensitive information.

What is this bug?: The bug affects iOS devices and Mac computers; Apple has yet to release a patch for its laptops and desktops. Apple spokeswoman Trudy Muller said that Apple is “aware of this issue and already have a software fix that will be released very soon” for Mac OS X devices.

The security firm CrowdStrike, one of the first to release information on the patch, said that the bug in Apple’s system leaves devices open to hackers by letting them bypass the verification that Web sites use to encrypt sensitive information, called SSL/TLS. It’s used by financial sites, e-mail providers and social networks, among others, to keep information that passes from users’ browsers to company servers private. The bug makes it easy for bad actors to create fake Web sites that look like sites users trust and visit every day and to grab the information that the unaware users send to those companies.

What should I do?: All you iOS users should go to your Settings menu to update your system through the “General” submenu. Right now.

I’ll wait.

This is the kind of update that should not be ignored, and it doesn’t take long to install. Apple has pushed out updates for iOS 7 users, as well as for iOS 6 users who’ve been wary to make the jump to the firm’s newest system. The firm has also released an update for Apple TV.

If you have a Mac, you’ll have to sit tight until Apple releases the update, at which point you should update your system without delay. (There are some fixes that independent researchers have released out there, but they require quite a bit of technical knowledge.)

Until then, stay away from untrusted networks such as open WiFi networks at airports and coffee shops — these are the kind of networks you should avoid anyway. CrowdStrike also recommends that users turn off the “Ask to Join Networks” setting on their unpatched mobile devices and computers to keep you from joining those networks by accident.

How did this happen?: Apple is staying pretty tight-lipped about the whole thing, citing company policy not to discuss ongoing internal investigations.

A variety of security experts, however, have said that the problem lies with a duplicated line of code. According to Google engineer Adam Langley, that means that the verification will never fail, or that there’s nothing to keep imposters from directing users to fake Web sites that look secure.

“This sort of subtle bug deep in the code is a nightmare. I believe that it's just a mistake, and I feel very bad for whomever might have slipped in an editor and created it,” Langley said.

Some security experts have said this shows that Apple has been lax about checking its code for problems, and some have chided the company for not reporting or fixing the problem sooner.

Others have suggested that this may be the bug revealed in links made by former National Security Agency contractor Edward Snowden that the agency used to gain access to iPhones.

Apple declined to provide any additional information on the bug.

Hayley Tsukayama covers consumer technology for The Washington Post.
Comments
Show Comments
Most Read Business