Apple security flaw allows spies and hackers to beat encryption
Technology giant races to release fix to block access to e-mails and other sensitive data
Reuters in San Francisco
Apple said it would issue a software update "very soon" to cut off the ability of spies and hackers to grab e-mail, financial information and other sensitive data from Mac computers.
Confirming researchers' findings that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller said: "We are aware of this issue and already have a software fix that will be released very soon."
Apple released a fix on Friday afternoon for the mobile devices running iOS, and most will update automatically. Once that fix came out, experts dissected it and saw the same fundamental issue in the operating system for Apple's mainstream computers.
That started a race, as intelligence agencies and criminals will try to write programs that take advantage of the flaw on Macs before Apple pushes out the fix for them.
The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated that it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said that the best "back doors" often look like mistakes.
"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
Adam Langley, who deals with similar programming issues as a Google engineer, wrote on his blog: "I believe that it's just a mistake and I feel very bad for whoever might have slipped."
The problem lies in the way the software recognises the digital certificates used by banking sites, Google's Gmail service, Facebook and others to establish encrypted connections.
A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.
The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a Wi-fi wireless set-up common in public places. Industry veterans warned users to avoid unsecured Wi-fi until the fix was available and installed.