According to the Financial Express and other sources – the recent Apple patch for iOS and MacOS is due to a fundamental flaw in Apple’s implementation of SSL – which could expose users to data being compromised, even if using an SSL certificate.
The vulnerability was patched in iOS on the 22nd and as of the 25th – still not patched on MacOS.
According to Information Week – quoting a blogger known as “Cortesi” –
“It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view, and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment,” Cortesi said. “It’s safe to assume that this is now being exploited in the wild. Of course, intelligence agencies have no doubt been on top of this for some time.”
Furthermore – Cortesi says in his own blog:
I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:
- App store and software update traffic
- iCloud data, including KeyChain enrollment and updates
- Data from the Calendar and Reminders
- Find My Mac updates
- Traffic for applications that use certificate pinning, like Twitter
This actually means – Apple MacOS is currently the most insecure operating system available – this exploit far surpasses those available for Windows and other operating systems.
Our advise – limit use of banking and social networks, and *any* kind of financial transaction on Apple MacOS computers while on public networks AT LEAST until Apple releases a patch *AND* you have applied it.