Apple rushed out a patch for its iOS 7 and iOS 6 operating systems to fix a serious security issue. Before I explain further, let me just say this: If you’ve gotten the prompt to update and you haven’t, do it now. If you’re still running older versions of iOS on your iPhone, iPod, or iPad, update now.
Done? O.K., good.
While you’re at it, go download either Chrome or Firefox for your Mac, and stop using Safari immediately until you see a security update for OS X Mavericks, as well.
[ Updated | Apple issued an update to OS X Mavericks. ]
In a nutshell, Apple has a security hole in both its mobile and desktop operating systems that could let a malicious hacker jump in on what you think is a secure Web transaction if you’re on a public Wi-Fi network like those at a coffee shop, airport or some other location.
The vulnerability affects SSL/TLS, or Secure Socket Layer and Transport Layer Security. These are the two technologies that supposedly encrypt the conversation between your browser and the server you’re trying to access when you visit a website. They’re represented by an “https” rather than “http” in your browser’s URL bar, and they’re supposed to mean you’ve got a secure browsing session in effect.
In fact, thanks to this bug, it’s very possible you don’t. The problem lies in validating the security certificates that are sent back and forth when you’re establishing a secure connection. Thanks to this flaw, your browser can’t verify the authenticity of an encryption certificate, meaning someone could easily be pretending to be your bank’s website, your doctor’s office site or a credit card application form.
There are excellent posts here and here about the severity, technicalities and potential of the vulnerability.
The update to iOS fixes the problem, but as of now, it’s still an issue on OS X Mavericks (although it may not exist in earlier versions of the operating system) for Macintosh computers. There’s a workaround on your Mac, though — use an alternative browser and avoid public Wi-Fi hotspots until there is a fix. That method won’t work on an iPhone, iPad or iPod, because alternatives like Chrome for iOS use the same security background as Safari.
Yes, by the way, people are deeply suspicious of both the timing of when this bug appeared and how it got there, in light of recent revelations about spying activity by the National Security Agency. I’ve also spoken to one engineer who said the errant line of code that caused the security hole could easily have been a copy/paste error that would have been extremely hard to detect.
In today’s environment, I tend to assume the worst, but the important thing now is to download the patch, watch for the Mavericks fix, and as usual, trust no one.