Ya this update is in regards to bad code found in open source ssl implementation used by Apple. It had an extra line of code that allowed for a man in the middle attack. Google goto fail and you can find ranting by security experts and paranoid conspiracy theorists. It's rather elegant if it's been done deliberately. Flaw was introduced in September 2012 during a standard update in an obscure ssl authentication module found in open source code. If done with malicious intent it was pure genius as it allowed plausible deniability and it completely disabled SSL security with less than 10 characters. It was a second line of code that returned error message silently failing module and allowing improper SSL certificates to pass as valid. Only worked with apple browsers and software that authenticated using affected library. Anyone using chrome or Firefox were unaffected.
|