Apple faces recriminations after finally fixing Mac bug

News by Tim Ring

Apple Mac users can breathe a sigh of relief as the company has finally fixed a flaw that meant their personal details could be stolen while they were browsing online.

The patch plugs a hole in the Mac OS X operating system which enabled hackers to break into their supposedly secure communication with popular SSL security-protected websites. It was released on Tuesday - but this was four days after Apple issued a similar fix for iPhone and iPad users running the iOS operating system.

The timelag left Mac users vulnerable and brought heavy criticism of Apple from industry experts, especially as the problem was caused by Apple accidentally leaving an extra ‘goto fail' line in its source code.

A second Apple bug, revealed by FireEye earlier this week, remains unpatched. This keylogging flaw means hackers can potentially record every keystroke made by users of any Apple device running the latest iOS 7 operating system, even ‘non-jailbroken' devices.

Until Apple fixes the problem, FireEye said users can use the iOS task manager to prevent potential background monitoring (SC Magazine, 25 February).

Context Information Security senior consultant Kevin O'Reilly said earlier this week that Apple's reputation for security was “in tatters” after the two problems were exposed – and he believes Apple's apparent aloofness in the face of widespread criticism means it now has work to do to win back user confidence.

He told “Recriminations will now begin in earnest, with Apple having a lot to answer for. The conspicuous absence of comment from Apple, even after releasing the patch, will leave many users with serious questions about their attitude and response to serious security flaws in their own products.”

O'Reilly added: “The burning question is why, if the bug was so simple as a duplicated line of code, it took Apple so long to release the patch for OS X, particularly as the patch for iOS was released so much more quickly.”

He said that the bug fix “will come as a huge relief to Mac OS X users who, in the meantime, have been sitting ducks for attackers that might attempt to exploit this flaw” and he urged users “to update promptly to protect themselves”.

The SSL patch was one of more than 40 issued by Apple on Tuesday across its OS X, Safari and QuickTime for Windows systems. Users can upgrade to the latest version via the Mac OS X App Store.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews