Security researchers revealed on Saturday that iOS’s validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. As a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.
Apple released a patch Saturday morning, available to all iOS users. iOS users should have already received a notification of the update’s availability or have had it automatically installed, depending on their device’s iOS version, update settings and available space for downloading the update.
But later on Saturday, several researchers reported that the flaw also affected OS X 10.9 Mavericks and perhaps other OS X versions. Earlier Sunday, Apple said it had a fix ready for OS X and would release it “very soon.” On OS X, the flaw is likewise limited to SSL connections over unsecured Wi-Fi networks, though only in Safari.
The update will be available through OS X’s Software Update utility, which is set to download security updates automatically by default in recent OS X versions.
iOS uses the WebKit-based Safari engine even in non-Safari browsers, so all iOS browsers can be exploited. By contrast, OS X lets each browser use it’s own browser engine. A Google security researcher said Chrome does not have the coding flaw; other researchers have said that Mozilla Firefox is likewise safe.