Mac OS X 10.9.1 has a severe security flaw that allows hackers to intercept and look at SSL-encrypted network connections, Apple has said this week. The Cupertino company said it’s currently fixing the problem.
Information such as credit card numbers and passwords could potentially be stolen via HTTPS, IMAPS, or other SSL channels on Mac computers that are vulnerable.
The iOS 7.0.6 update handed down a fix for SSL verification issues this weekend, but Mac OS X appears to be affected.
Apple spokeswoman Trudy Muller confirmed the Max OS X 10.9.1 had the security flaw.
“We are aware of this issue and already have a software fix that will be released very soon,” she told Reuters.
OS X users who are unsure that they have the problem can go to https://gotofail.com to test the SSL bug.
Security firm CrowdStrike talked about the SSL bug discovery.
“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake,” the firm said.
It added: “This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
Google software engineer Adam Langley elaborated on the bug further on his website.
“Based on my test site, iOS 7.0.6 does fix the issue but OS X 10.9.1 is still affected. (Update: it looks like the bug was introduced in 10.9 for OS X but existed in at least some versions of iOS 6. iOS 6.1.6 was released yesterday to fix it.,” he wrote.
Langley added: “This sort of subtle bug deep in the code is a nightmare. I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”