Elizabeth Weise

USATODAY

Apple quietly issued a fix for a security flaw in iPhones and iPads Friday

It could have allowed hackers to intercept messages sent from phones to websites

Most Apple devices will automatically update themselves. Apple is working on a patch for its computers

SAN FRANCISCO — A security flaw could allow email and passwords to be intercepted from millions of Apple's iPhones.

The flaw allows hackers to intercept and change email messages and login credentials on multiple Apple products.

Apple released a patch Friday for the security problem. Most phones, iPods and iPads will update automatically and the security hole will be closed.

The patch was issued for iPhones 4 and 5, the fifth generation iPod touch and the second generation iPad.

Computer writer Kim Komando sent an email blast Saturday advising Apple product users to follow these steps to install the patch:

"For iOS users: Go to your settings icon – you should see a little red "1? telling you there's an update available.Click

on it, and then go to Software Update and then "Install Now."

The website AppleInsider published a report Saturday saying Apple was working on a fix for OS X, the operating system on its computers.

Apple told Reuters on Saturday that a software update to protect Apple computers against hackers and spies who might try to exploit the flaw would be issued "very soon."

The flaw exploits a vulnerability with security certificates signed by what are known as "trusted certificate authorities."

Security certificates are a basic component of computer security. They are attachments to electronic messages that verify the user sending a message is who he or she says he is. They contain information about the certificate owner, including an internet address, when it can be used, how long it is valid for and where it lives on the web.

Most importantly, the certificates carry a code (called a hash) showing they have not been tampered with.

When connecting to a web site, the Apple device should check to make sure that the site is who and what it says it is, using the certificate.

However a missing bit of computer code meant the certificates were not checked.

That would allow a malicious hacker to perpetrate what's known as a Man in the Middle Attack. Here, someone uses a faked certificate of authority to fool the device into believe it is interacting with a trusted host.

That allows the Man in the Middle to intercept all the messages (including passwords) that go between a person's iPhone and a web site, for example.

A hacker exploiting that security flaw could use it to pretend he or she was the trusted website and then steal data such as credit card numbers the phone user was sending. It could also be used to install malicious software that would stay on the phone, secretly feeding information to the hackers long after the original attack was done.

Computer scientist Adam Langley said on his blog, "This sort of subtle bug deep in the code is a nightmare. I believe that it's just a mistake and I feel very bad for whomever might have slipped in an editor and created it."