Apple iPhone and Mac users need to update security ASAP

iPhone 5S. Apple

Last Updated Feb 25, 2014 4:45 PM EST

Apple released a fix for its Mac OS X operating system on Tuesday, after revealing on Friday that a major security flaw had been found

The problem was initially believed to affect only mobile devices, and Apple released iOS 7.0.6 to patch the flaw in its phones on Friday. But over the weekend, it became clear that there was also a flaw with the OS X operating system, used on Macs. It's become known as the "gotofail" bug

"Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple wrote in the Friday statement. "Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."

The flaw is a Secure Socket Layer (SSL) vulnerability that allows hackers to "intercept and alter communications such as email and login credentials," according to ZDNet.

A hacker "can basically set up a connection and pretend to be Google.com," Matt Green, a Johns Hopkins University professor specializing in encryption, told Ars Technica. Then, as CNET explains, financial or password data can be collected and used against the individual.

If you've logged onto WiFi from a coffee shop, hotel, airport or other public space, you could be at risk. Hackers could have worked their way into your phone through the insecure connection, where they could have accessed any information you've shared through your phone -- including credit card numbers and addresses.

"At this early stage, the vulnerability has been confirmed in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1, meaning it has silently exposed the sensitive communications of millions of people for weeks or months," reported Arts Technica. 

The OS X Mavericks 10.9.2 update for Macs was released Tuesday, along with updates for earlier versions of the operating system. Apple included three mentions of "attackers" and explained that they could potentially decrypt, capture or modify data protected by SSL.

  • Danielle Elliot On Twitter» On Facebook»

    Danielle Elliot is a freelance science editor and reporter for CBS News. She holds an M.A. in science and health journalism from Columbia University and a B.A. in broadcast journalism from the University of Maryland. Follow her on Twitter - @daniellelliot.

Comments