We reported here previously on the major security flaw in both Apple’s desktop and mobile operating systems that allowed attackers to intercept communications with SSL-protected web sites. The vulnerability became widely known last week, although it has apparently existed for months. Apple released a patch to fix the problem in iOS on February 21, but OS X went unprotected for five more days.
This is the infamous “gotofail” coding error in Apple’s implementation of the SSL/TSL protocols. The error, which is a duplication of a line of code, causes the error check for encryption signatures to fail. An attacker can, with the right tools, not only capture and view the supposed-to-be-encrypted traffic but can make changes to the data, as well.
Apple admitted in the description of the software update that an attacker could “capture or modify” communications sent via certain Apple programs. The affected programs include Safari, the Mail application, and others that use Apple’s SSL/TSL custom implementation. Third party browsers such as Chrome running on OS X are not affected because they don’t use the Apple SSL/TLS.
On February 25, the company released another patch to address the flaw in Safari and other applications on OS X Lion, Mountain Lion and Mavericks. The company came under criticism from many security experts, because desktop users were left vulnerable for several days after the existence of the flaw had been highly publicized, giving attackers a window of opportunity to exploit the vulnerability.