A security flaw in Apple Inc.’s (NASDAQ:AAPL) operating systems that surfaced several days ago has issued an update fixing the problem, according to a Reuters report Tuesday. The glitch affected both Mac computers and the company’s iOS software for iPhones.
The security flaw rendered encryption useless, allowing hackers to intercept data such as e-mail or online banking sessions; access to a mobile user’s shared network (say, for instance, a wireless network at a cafe); and the ability to see and alter exchanges between that user and various password-protected sites like Gmail, Facebook, etc. Reuters reports.
The glitch has become known as the “gotofail” glitch after a section Apple’s code was posted online, showing an errant duplicate message responsible for creating the glitch, reading “go to fail.”
The company issued a fix for the iPhone last week; as a result of the OSX fix, issued Tuesday, all Apple devices should now have the proper updates available in order to fix the problem.
The flaw has received a lot of media attention over the past few days, and Apple has come under fire for its silence during the glitch: the company never even sent out a warning to its users, advising them what they should and shouldn’t do on their Apple devices as a result of the security flaw.
“When Apple disclosed the iOS bug, they did not mention how long the bug has been around for, how/when it was discovered or affected iOS versions. It was then independent security researchers who discovered that the same issue also affects OSX users,” said Runa Sandvik, a security technologist who spoke with Forbes.
The company has also received flak for leaving both iOS and OSX users vulenerable at the same time. “Whoever at Apple decided to wait 4+ days for 10.9.2 to patch the OSX vulnerability needs to no longer be in that position,” said one Apple user to CNET.
According to Reuters and CNET, the bug arose due to a custom implementation of a security standard protocol known as SSL/TLS. “By including the goto fail line twice in a row, the normal error check for some types of encryption signatures fails,” CNET reported Tuesday.