Researchers have discovered that a massive security hole in iOS 7 and OS X also affects third-party desktop software. While iOS has been updated, no fix is available for OS X yet. Apple released the iOS 7.0.6 update on 21 February to patch a flaw in Safari's SSL authentication code that would have allowed attackers to bypass it altogether and intercept sensitive communications such as credit card information and login credentials.
Security researchers at Crowdstrike reverse-engineered the iOS 7.0.6 update and discovered that the holes patched by it also exist in OS X. Another reasearcher, Ashkan Soltani, has now posted a screenshot to Twitter highlighting a number of apps other than Safari that use the same framework. These include built-in apps such as Calendar, Keynote, FaceTime, Mail and Software Update as well as third-party apps such as Twitter. Apple allows developers to use Secure Transport while building their own apps, which means hundreds more could be affected.
Both sources have refused to divulge specific information to the public, in order to prevent potential attackers from learning more about how to exploit the flaw.
The flaw allows for a "man-in-the-middle" attack, which makes it possible for anyone on the same wired or wireless network to intercept SSL-encrypted traffic and decrypt it by pretending to be the intended recipient, for example a secure website. Such data can then be modified before it is passed on to the actual recipient and traffic returning can be intercepted as well, giving the attacker full access to your online accounts and credentials. People using public Wi-Fi hotspots are particularly vulnerable, as attackers can sniff for vulnerable computers and capture secure data without the affected users ever knowing.
Apple calls its implementation of SSL authentication framework Secure Transport. The same code is used in Safari on Apple's desktop operating system, OS X, and is also available to third-party apps.
Apple has confirmed that an update for OS X is in the works, but users are advised to avoid using the Safari browser, especially if connected to public Wi-Fi hotspots. Apple has also released an update to iOS 6 for older devices, including the iPhone 3GS and older iPod touch models, which cannot run iOS 7 but are also affected.