On Friday Apple announced a fix to a security bug in its iOS 7 system. Today Web security experts have parsed the patch to figure out what exactly the problem was… And apparently it’s a doozy.
Wired has all of the gory details:
“[The] terse description in Apple’s announcement yesterday had some of the internet’s top crypto experts wondering aloud about the exact nature of the bug. Then, as they began learning the details privately, they retreated into what might be described as stunned silence. “Ok, I know what the Apple bug is,” tweeted Matthew Green, a cryptography professor at Johns Hopkins. “And it is bad. Really bad.”
The culprit of what may be one of Apple’s biggest security snafus is an extra “goto” in one part of the authentication code, Wired reported. That spurious line of code bypasses the rest of the authentication protocols.
The bug could could allow hackers to intercept email and other communications that are meant to be encrypted, according to a Reuters report which was issued late on Friday night.
Meanwhile, ZDNet notes that macs may have been left vulnerable.
As ZDNet’s contributing editor Larry Seltzer wrote:
Make no mistake about it, this is a very serious bug. The bug makes it fairly straightforward to intercept and decrypt SSL/TLS communications, probably the most important security protocol there is today.
Here’re more details, on the patch from ZDNet.
H/T – techcrunch
