Apple Staying Silent About Security Snafu


A security flaw discovered in Apple’s (NASDAQ:AAPL) iOS and OS X operating systems on Friday still has not been completely fixed and Apple is remaining typically silent on the issue. It’s a silence that could lead to millions of Apple users being affected by a security hole that can allow a hacker to intercept transactions on sites that are supposed to be secure.

Apple acknowledged the flaw over the weekend and issued updates for iOS 6 and 7, but according to researchers the problem has not been solved, and there’s not yet an update for laptop and desktop computers. Apple has a very short entry on the issue on its security site, offering an update but also saying, “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

Apple offered a brief description of the flaw, saying: “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.” According to experts, the “issue” has hardly been “addressed” by the company at all, much less solved completely.

The bug affects the secure connections used when accessing bank accounts, emails, shopping online, or any other activity that demands secure encryption. SSL/TLS stands for Secure Socket Layer and Transport Layer Security, which are the technologies used to ensure that you have a secure session in your browser when accessing sensitive information. “Goto fail” compromises that security and makes checking your bank account or making a purchase online risky, especially when using public Wi-Fi.

Much of the concrete information about the bug, called goto fail, has been discovered and spread by security researchers and journalists. Security expert Runa Sandvik started a website called “Has goto fail been fixed yet?” that reads “No” at the top and guides Apple users to more information about the issue. Sandvik urges Apple users to update their mobile devices as soon as possible and keep an eye out for an upcoming OS X update, as well. “Without the security update, an attacker could easily listen in while you send emails, update your calendar, tweet, use Facebook, or check your bank account on a shared network, such as a public Wi-Fi at a library or coffee shop,” the site says.

There’s still not very much known about the bug. Journalists and security experts are urging anyone with an Apple product to perform the OS updates immediately and keep an eye out for further OS improvements. Apple has hardly lifted a finger to notify users at all, which is only leaving the many people who use the company’s products at risk. Security experts are trying to keep us filled in on the issue, but they can’t reach as many of the affected Apple owners as Apple would if it simply sent out an email to users describing the problem and steps that should be taken to stay safe.

Security researchers Ashkan Soltani and Adam Langley have also written up useful summaries of the issue with what users can do and what Apple should do.

Apple has been getting some pretty negative attention from the tech press and community due to its handling of the issue, which hopefully could persuade the company to issue some kind of statement or at least notify users that they should perform an update as soon as possible.

More from Wall St. Cheat Sheet:

Follow Jacqueline on Twitter @Jacqui_WSCS