One way you can tell how serious a cyberattack, data breach or other IT incident was is by looking at when it’s announced to the public. If it’s timed to avoid headlines, you know it’s pretty bad. So when Apple announced a flaw in its products on a Friday evening, the general thinking was, “Yikes.”
And it does look bad. A bug in a line of code for its secure sockets layer (SSL) meant that Apple products weren’t able to properly verify certificates.
Essentially, this meant that the secure transmission of data on various sites, email services and other apps were given the all-clear to accept sensitive information without anyone checking to see if it was actually legitimate.
So hackers could easily set up sites that appear to be legitimate and pass Apple’s security tests, but are actually used as a “man-in-the-middle” attack, stealing sensitive information.
First and foremost, the update Apple released on Friday is for iOS7, iOS6 and Apple TV. No updates have been released for OSX as of yet.
But almost all the software for Mac or iOS rely on the SSL. That could mean everything from Mail, to FaceTime to the Calendar could be affected.
It’s not necessarily time to panic: There’s no widespread evidence that this is being exploited. But the publicity it’s generating means that some hacker somewhere is now setting to work on an exploit to catch users slow to apply updates and patches.
What do users need to do?
Simply put, iPhone users should update their iOS immediately. Mac users should make sure they have the most up-to-date version of OS X and keep an eye out for the release of the patch as well.
Two more good steps to take:
- Stay off public WiFi. The easiest way for attackers to get to your systems would be through an open, public WiFi system like the ones found in coffee shops, libraries, airports, etc. Warn users to avoid these or other unprotected networks.
- Use Chrome or Firefox. For Mac users who still need to access their online banking or other sites, Google’s Chrome and Mozilla’s Firefox browsers aren’t vulnerable like Safari.
As always, it’s a good idea to insist employees keep all their systems – personal, mobile and otherwise – fully patched and automatically updated.