The bug: Known as the ‘goto fail’ vulnerability, a faulty line of code prevents the Mac from recognising that the remote computer it is exchanging information with does not have a genuine, secure certificate. It recognises a certificate is present and continues exchanging information even though it can’t authenticate which organisation signed the certificate.
The problem: The bug has existed in the code for many months, but the flaw is now well-publicised and the chances of it being exploited are much higher. An update from Apple is expected very shortly which will correct the code and remove the flaw.
Although the flaw is most easily demonstrated in Safari, any Mac software that uses SSL (secure socket layer) or TLS (transport layer security) is compromised, including Mail, Messages, Calendar, Facetime and even connections to the AppStore. This leaves communications between Macs and servers open to ‘man-in-the-middle’ attacks, where communications between, say, your Mac and your bank, which should be secured by SSL/TLS, are hijacked by a third-party and information including account details and passwords could be intercepted.
What to do: There are no reports, yet, of the vulnerability being exploited, but it’s likely it won’t be long. Until Apple releases their patch, it is prudent to avoid using Safari (and other apps, though they’re unlikely to carry such sensitive information) for sending valuable information. If you need to use your Mac for online banking it would be wise to use Firefox or Chrome which use different implementations of SSL and TLS.
Apple released a patch for iOS, for iPhones and iPads, over the weekend – taking iOS to version 7.0.6. It is strongly recommended that you patch all iOS devices as soon as possible as they are affected by the same vulnerability before the patch is applied. Connect the device to the mains, with internet access, click Settings, General and Software Update then follow the instructions.
Update: Apple has released OS X update 10.9.2 which includes a fix for the major SSL security flaw mentioned yesterday. Although it’s believed (Apple haven’t been too forthcoming with details) the SSL bug affects Mavericks (10.9) only, the recently released updates cover Mavericks, Mountain Lion and Lion.
Mac users are recommended to update their software (click Apple logo, Software Update, or click the App Store and right-hand button, ‘Updates’) – although the software may be set to update automatically, manually selecting Software Update or visiting the App Store will force the update through immediately. The update will take a few minutes to download and longer to install, around a ten-minute process in total, requiring a reboot.