Apple Inc (AAPL) said on Saturday it would release a software update “very soon” to stop hackers from intercepting and decrypting Secure Socket Layer (SSL)-encrypted connections from its Mac desktop and notebook line-up.
Confirming researchers’ findings late Friday that a major SSL flaw in its software for mobile devices — which allows hackers to capture or modify data in supposedly secure sessions — also appears in notebook and desktop machines running Mac OS X 10.9.1, Apple spokeswoman Trudy Muller told Reuters News: “We are aware of this issue and already have a software fix that will be released very soon.”
The Cupertino-Calif.-based tech giant issued updates for versions 7.0.6 and 6.1.6 (available now for download) of its mobile operating system iOS on Friday to address the same flaw in iPhones, iPads and iPods.
But it quickly became apparent that the flaw also exists in desktop and laptop computers running Mac OS X Mavericks, Apple’s newest operating system for Mac desktops and laptops.
According to Apple, the security hole was created due to the Secure Transport component of the OS failing to validate “the authenticity of the connection,” suggesting some sort of failure in the way the software verifies the certificate or identity of whatever system used by banking or shopping sites, Google (GOOG)’s Gmail service, Facebook (FB) and others when establishing encrypted connections.
The hole has been present for months, researchers who tested earlier versions of Apple’s software, told Reuters.
Apple did not say when or how it learned about it, but admits “the issue was addressed by restoring missing validation steps.”
The flaw is certainly embarrassing for Apple, considering SSL certificates are hardly groundbreaking stuff, in the sense that these data files that digitally bind a cryptographic key to an organization’s details have been around for years.
Shares of AAPL last closed down $5.90, or 1.11%, at $525.25.