“Like everything else on the iPhone, the critical crypto flaw announced in iOS 7 yesterday turns out to be a study in simplicity and elegant design: a single spurious ‘goto’ in one part of Apple’s authentication code that accidentally bypasses the rest of it,” Kevin Poulsen reports for Wired.
“Apple released iOS 7.0.6 yesterday to patch the bug in its implementation of SSL encryption — the internet’s standard defense against eavesdropping and web hijacking,” Poulsen reports. “But the terse description in Apple’s announcement yesterday had some of the internet’s top crypto experts wondering aloud about the exact nature of the bug. Then, as they began learning the details privately, they retreated into what might be described as stunned silence. ‘Ok, I know what the Apple bug is,’ tweeted Matthew Green, a cryptography professor at Johns Hopkins. ‘And it is bad. Really bad.'”
“Some software bugs are infinitely subtle and complicated. Others are comprehensible almost at a glance to anyone who dabbled in BASIC as a kid. The iOS 7 bug is in the latter group,” Poulsen reports. “Notice the two “goto fail” lines, one after the other. The first one belongs there. The second is a typo. That extra, duplicative line diverts the program’s execution, like a bypass stent, right past a critical authentication check. The part where the digital signature is actually checked is dead code, never reached… You can test if you’re vulnerable at GotoFail.com.”
Read more in the full article here.
“Researchers are warning that the flaw seems to affect Safari, rather than Chrome or Firefox, so switching browsers may offer a partial workaround for the vulnerability,” Andy Greenberg reports for Forbes. “I tested several browsers against a proof-of-concept demonstration of the bug recommended by several security researchers at GotoFail.com and found that Safari was in fact vulnerable to the attack, while Chrome and Firefox appeared to be unaffected. But the test shouldn’t be seen as definitive, and the impact of the flaw goes beyond browsers. Security researcher Ashkan Soltani has found that it may affect Apple’s Mail application as well, according to Ars Technica.”
“I’ve contacted Apple for comment, and I’ll update this post as soon as I hear from them. The company tells Reuters that it plans to release a second patch for OSX ‘very soon,'” Greenberg reports. “Until Apple releases a patch of its own, users should update their iOS devices to the latest version, users Chrome and Firefox rather than Safari, and try to avoid untrusted networks.”
Read more in the full article here.
Related article:
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014