Apple’s deafening silence on ‘GotoFail’ security flaw

“On Friday, Apple quietly issued an update for iPhones and iPads that fixed a big problem: encryption wouldn’t stop an attacker on the same network from intercepting sensitive information sent during banking sessions, email sessions or Facebook chats,” Kashmir Hill writes for Forbes.

“Then the news got worse,” Hill writes. “Researchers realized the same problem applied to other iProducts, such as desktops and laptops. Beyond telling Reuters reporter Joseph Menn on Saturday that a fix is coming ‘very soon,’ Apple has been silent on the issue, not even sending out a warning to its users about what they should and shouldn’t do while the vulnerability remains unfixed. Instead, it’s been left to journalists (such as my colleague Andy Greenberg) and outside security researchers (such as Ashkan Soltani and Adam Langley of Google ) to explain what’s happening in blog posts as well as tweet advice out to alarmed Macheads lucky enough to be on Twitter to see it.”

“Runa Sandvik, a security technologist (and Forbes contributor) who is among those tweeting about Apple’s security problem, created a website ‘Has GoTo Fail Been Fixed Yet?’ that pops up a simple ‘No’ with links to coverage users might want to read,” Hill writes. “‘I created the site to highlight the biggest issue here: that Apple dropped a [zero-day exploit] on users at 4pm on a Friday and has not yet made any statements about when OS X users can expect a patch,’ says Sandvik… ‘I can’t blame Apple for the SSL bug, but their response has been pretty awful,’ tweeted ACLU security technologist Chris Soghoian, who advised the lawmakers or federal agency types who inevitably look into this security mess to ‘focus on the lack of timely warning to impacted users, not the source of the flaw itself.'”

Read more in the full article here.

Related articles:
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014


    1. Can you read? The article isn’t saying that Apple should be punished for having the bug, it is saying that they’ve followed very bad practice in informing users how to protect themselves now that everyone who might want to cause harm knows about it.
      There are times when keeping your mouth shut is just plain wrong. This is one of those times.

  1. Seriously, 10’s of Millions of dollars are extorted out of consumers every year that use Winblows computers. Virus’s, Trojan, and Malware issues abundant.

    How has this “fail” affected Mac Users?
    Is there even a single case that this has caused someone an issue other then them bitching about it?

    Yet your passwords, location and contacts are being stolen from the Android fanboys and no one seems to give a shit.

      1. Yes. In all of the posts, I haven’t yet seen where one person has been affected. The hacker has to be on the network the user is on. If some idiot is doing something so security critical on a network not his own, and of unknown security, he or she deserves to have all of that critical data compromised.

        Yes. This whole subject is hysterical nonsense. I personally wouldn’t want Apple explaining any vulnerability. That’s like leaving your car window open after forgetting to pick your wallet up off the passenger seat.

  2. Apple has not released a patch yet because NSA want’s Apple to insert some other hard-to-catch-vulnerability in the same patch so NSA can go on with their business…

  3. once again, its over the top, overblown, not a single user anywhere has been affected, but you’d think it was the end of the world…. Not to mention, how hard it is to actually set this up to actually do anything with it.. yet as noted, Windowscosts companies millions or billions each and every year trying to keep things safe, and how about Adobe Flash, an update a week is all we ask… for severe flaws.. but heaven forbid Apple actually make a small error.. This thing will probably be patched in a couple days and then what will they whine about… it was too slow? but yet no one was affected… give me a break..

  4. Why was it programmed BADLY in BASIC !!!!!!!!!!!!
    If it was programmed CORRECTLY in BASIC maybe no one would have noticed.
    Leave my BASIC alone. Poor BASIC, it wasn’t YOUR fault, now was it?

  5. Ummm. Wait, I don’t get it, I thought this was a really weird thing about a line of BASIC code. (gone wrong, or GOTO wrong).
    How would this cause trouble on a Mac?
    Who at Apple would program in BASIC anyway?
    Can we find out the name of the guy who slipped in a line of BASIC?
    Come to think about it, I thought Apple used ONLY OOP in C.
    Someth’n ain’t right here.

    1. Look before you leap, cw.

      ANSI C has had the “goto” statement for a pretty long time. And a lot of low-level code is written in C for either performance reasons or historical reasons. Objective-C is arguably the language of choice for higher-level functionality, though plenty of other languages are supported directly and indirectly.

    2. The goto statement is available in many languages, including C and C++. In some, like BASIC or FORTran, it’s unavoidable. In C/C++ it’s simply bad practice. In thirty years of programming C (and 20 of C++) I’ve never used it–not once. It’s there as a bailout, and in this case it must have covered something pretty sloppy.

      There are a number of programmers who somehow think that GOTO improves performance, but it doesn’t. It’s lazy and poorly thought-out programming, and this time it bit Apple in the butt. I really hope this isn’t a widespread practice inside OSX.

  6. It’s FUD.

    However this is Apple’s MO, under Steve, or anyone else.
    The problem does not exist until Apple says so.

    It’s not a simple GoTo statement. There is something, a lot more. Look if you are developer, you will understand where I am coming from. There’s regression testing and looking for similar mistakes. Review of the “programmer’s” work, who caused the problem in the first place.

    Also 10.9.2 is right around the corner.

    Look at iOS 7.0.6 update, it was 26MB.. That’s not a GoTo fix, it’s more than that.

    Just be patient, and let Apple do it’s job.. Stop pestering them. Last week Mac OS and iOS were the safest operating systems, commercially available. I don’t think that’s changed, even with a 0Day.

    1. “Stop pestering them?” A fine sentiment, but only 13 people are going to listen to that. No, Apple needs to be taken to the woodshed for being imperfect, if only because they themselves preach perfection. The rest of us, of course, seldom make any such egregious errors.

  7. People need to chill. Who doesn’t know that Apple is working on this?

    Seriously, there is no problem if you’re at home or at work unless you work on totally insecure networks. If you’re forced to go to a public network, use VPN, set it for all traffic. If you’re out an about and you have to use your Mac and you’re worried that there is actually a hacker in the bushes specifically waiting for you to so he can do a man in the middle attack…


    If you insist on using Safari, fine, tether your mobile phone. Honestly, the average Flash vulnerability is much worse because it’s actually likely to hit, oh, 600,000 or so people.

  8. “that fixed a big problem”

    A BIG problem is one where people are actually being affected. You know, like Android and Windows.
    This is just a chance for alarm journalists to make some money.

    Hackers aren’t going to bother with this one because by the time they finish writing their hack, Apple will not only have a fix released by then, but most people will already have the fix installed.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.