“On Friday, Apple quietly issued an update for iPhones and iPads that fixed a big problem: encryption wouldn’t stop an attacker on the same network from intercepting sensitive information sent during banking sessions, email sessions or Facebook chats,” Kashmir Hill writes for Forbes.
“Then the news got worse,” Hill writes. “Researchers realized the same problem applied to other iProducts, such as desktops and laptops. Beyond telling Reuters reporter Joseph Menn on Saturday that a fix is coming ‘very soon,’ Apple has been silent on the issue, not even sending out a warning to its users about what they should and shouldn’t do while the vulnerability remains unfixed. Instead, it’s been left to journalists (such as my colleague Andy Greenberg) and outside security researchers (such as Ashkan Soltani and Adam Langley of Google ) to explain what’s happening in blog posts as well as tweet advice out to alarmed Macheads lucky enough to be on Twitter to see it.”
“Runa Sandvik, a security technologist (and Forbes contributor) who is among those tweeting about Apple’s security problem, created a website ‘Has GoTo Fail Been Fixed Yet?’ that pops up a simple ‘No’ with links to coverage users might want to read,” Hill writes. “‘I created the site to highlight the biggest issue here: that Apple dropped a [zero-day exploit] on users at 4pm on a Friday and has not yet made any statements about when OS X users can expect a patch,’ says Sandvik… ‘I can’t blame Apple for the SSL bug, but their response has been pretty awful,’ tweeted ACLU security technologist Chris Soghoian, who advised the lawmakers or federal agency types who inevitably look into this security mess to ‘focus on the lack of timely warning to impacted users, not the source of the flaw itself.'”
Read more in the full article here.
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014