Don't Worry, The Fix For The Failed Encryption On Macs Will Be Available 'Very Soon'!
If you're an iPhone, iPad or iPod user, then chances are you took Apple's advice and quickly installed the recently released iOS 7.0.6 to protect your data on last Friday afternoon. Although the bug fix description was fairly vague, you and numerous other users trusted Apple. Now we know just how potentially serious the security issue was to your smartphone or tablet. While the problem was allegedly fixed on the iOS side, it appears that the desktop and notebook range of Macs is still vulnerable to hacker attacks.
When I say hacker attack...
…I mean that a skilled hacker can take advantage of the officially announced vulnerability to intercept communications from your devices. Data such as emails, passwords or your banking info is sent over HTPPS and other SSL-protected channels from the device to the hacker. In short, the encryption between you – the user – and the websites is corrupted.
Given the nature of the flaw, many have started speculating that this is the work of a spy whose mission was to implant a backdoor virus that would facilitate access for the NSA and other surveillance agencies. To give a bit of credibility to this story, some people have even compared the vulnerability with the attacks used against Belgacom, Belgium's largest telecom provided.
I'm not really adept in conspiracy theories, so I prefer to believe that the vulnerability was an unfortunate accident, as described by Adam Langley, Google's security team.
'We are aware of the issue'
After Apple spokesman Trudy Muller announced on Friday that they are aware of the issue and have a solution for it, they released a fix the same day for the iOS mobile devices. The good part was that iOS updated automatically. The bad part is that, according to Reuters, the same fundamental issue was present in the operating system. Until they release a bug fix that can actually remove the SSL/TLS threat, my advice to you is to avoid all unknown networks and stick to Wi-Fi networks that have the WPA2 security active.
Safari was vulnerable to SSL/TLS threats all along
According to the security firm that discovered the bug (Crowdstrike), the vulnerability seems to be proprietary to Safari and it doesn't appear to affect Chrome or Firefox. The same researchers underline that the testes performed shouldn't be viewed as definitive and promise to further investigate whether the flaw goes behind the browsers. From what I can gather, using Chrome or Firebox instead of Safari until they figure things out is a good idea.