“On Friday, Apple quietly issued an update for iPhones and iPads that fixed a big problem: encryption wouldn’t stop an attacker on the same network from intercepting sensitive information sent during banking sessions, email sessions or Facebook chats,” Kashmir Hill writes for Forbes.
“Then the news got worse,” Hill writes. “Researchers realized the same problem applied to other iProducts, such as desktops and laptops. Beyond telling Reuters reporter Joseph Menn on Saturday that a fix is coming ‘very soon,’ Apple has been silent on the issue, not even sending out a warning to its users about what they should and shouldn’t do while the vulnerability remains unfixed. Instead, it’s been left to journalists (such as my colleague Andy Greenberg) and outside security researchers (such as Ashkan Soltani and Adam Langley of Google ) to explain what’s happening in blog posts as well as tweet advice out to alarmed Macheads lucky enough to be on Twitter to see it.”
“Runa Sandvik, a security technologist (and Forbes contributor) who is among those tweeting about Apple’s security problem, created a website ‘Has GoTo Fail Been Fixed Yet?’ that pops up a simple ‘No’ with links to coverage users might want to read,” Hill writes. “‘I created the site to highlight the biggest issue here: that Apple dropped a [zero-day exploit] on users at 4pm on a Friday and has not yet made any statements about when OS X users can expect a patch,’ says Sandvik… ‘I can’t blame Apple for the SSL bug, but their response has been pretty awful,’ tweeted ACLU security technologist Chris Soghoian, who advised the lawmakers or federal agency types who inevitably look into this security mess to ‘focus on the lack of timely warning to impacted users, not the source of the flaw itself.'”
Read more in the full article here.
Related articles:
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014
When was Forstall booted out again?
Here comes the US Gov DOJ to take Apple to court and fine them several billions.
we all know where the DOJ can goto.
Can you read? The article isn’t saying that Apple should be punished for having the bug, it is saying that they’ve followed very bad practice in informing users how to protect themselves now that everyone who might want to cause harm knows about it.
There are times when keeping your mouth shut is just plain wrong. This is one of those times.
Seriously, 10’s of Millions of dollars are extorted out of consumers every year that use Winblows computers. Virus’s, Trojan, and Malware issues abundant.
How has this “fail” affected Mac Users?
Is there even a single case that this has caused someone an issue other then them bitching about it?
Yet your passwords, location and contacts are being stolen from the Android fanboys and no one seems to give a shit.
If it’s apple it’s time to get hysterical.
Yes. In all of the posts, I haven’t yet seen where one person has been affected. The hacker has to be on the network the user is on. If some idiot is doing something so security critical on a network not his own, and of unknown security, he or she deserves to have all of that critical data compromised.
Yes. This whole subject is hysterical nonsense. I personally wouldn’t want Apple explaining any vulnerability. That’s like leaving your car window open after forgetting to pick your wallet up off the passenger seat.
When even resident security guru Derek Currie shows signs of hysteria, you know the media sideshow has gotten out of control.
Apple has not released a patch yet because NSA want’s Apple to insert some other hard-to-catch-vulnerability in the same patch so NSA can go on with their business…
Was that sarcasm ? If not, it reads like it
once again, its over the top, overblown, not a single user anywhere has been affected, but you’d think it was the end of the world…. Not to mention, how hard it is to actually set this up to actually do anything with it.. yet as noted, Windowscosts companies millions or billions each and every year trying to keep things safe, and how about Adobe Flash, an update a week is all we ask… for severe flaws.. but heaven forbid Apple actually make a small error.. This thing will probably be patched in a couple days and then what will they whine about… it was too slow? but yet no one was affected… give me a break..
Target!
Why was it programmed BADLY in BASIC !!!!!!!!!!!!
If it was programmed CORRECTLY in BASIC maybe no one would have noticed.
Leave my BASIC alone. Poor BASIC, it wasn’t YOUR fault, now was it?
It wasn’t programed in BASIC. Someone just used that to explain the simplicity of the mistake. I think it’s not. I think the reporters have it all wrong, the problem is a lot more complex.
Ummm. Wait, I don’t get it, I thought this was a really weird thing about a line of BASIC code. (gone wrong, or GOTO wrong).
How would this cause trouble on a Mac?
Who at Apple would program in BASIC anyway?
Can we find out the name of the guy who slipped in a line of BASIC?
Come to think about it, I thought Apple used ONLY OOP in C.
Someth’n ain’t right here.
Look before you leap, cw.
ANSI C has had the “goto” statement for a pretty long time. And a lot of low-level code is written in C for either performance reasons or historical reasons. Objective-C is arguably the language of choice for higher-level functionality, though plenty of other languages are supported directly and indirectly.
The goto statement is available in many languages, including C and C++. In some, like BASIC or FORTran, it’s unavoidable. In C/C++ it’s simply bad practice. In thirty years of programming C (and 20 of C++) I’ve never used it–not once. It’s there as a bailout, and in this case it must have covered something pretty sloppy.
There are a number of programmers who somehow think that GOTO improves performance, but it doesn’t. It’s lazy and poorly thought-out programming, and this time it bit Apple in the butt. I really hope this isn’t a widespread practice inside OSX.
Bah.
Just use 10.6.8 Snow Leopard and Safari, and all is good — this version of the OSX and Safari are unaffected.
Niffy
It’s FUD.
However this is Apple’s MO, under Steve, or anyone else.
The problem does not exist until Apple says so.
It’s not a simple GoTo statement. There is something, a lot more. Look if you are developer, you will understand where I am coming from. There’s regression testing and looking for similar mistakes. Review of the “programmer’s” work, who caused the problem in the first place.
Also 10.9.2 is right around the corner.
Look at iOS 7.0.6 update, it was 26MB.. That’s not a GoTo fix, it’s more than that.
Just be patient, and let Apple do it’s job.. Stop pestering them. Last week Mac OS and iOS were the safest operating systems, commercially available. I don’t think that’s changed, even with a 0Day.
“Stop pestering them?” A fine sentiment, but only 13 people are going to listen to that. No, Apple needs to be taken to the woodshed for being imperfect, if only because they themselves preach perfection. The rest of us, of course, seldom make any such egregious errors.
Because we would loose our job. Which I suspect someone at Apple did.
Look before you leap, cw.
Happy to admit I’m wrong. I stand corrected. Thank you.
Someone said BASIC, that’s nut’s.
Couldn’t be. It wasn’t.
Although…what language is that? Obj-C isn’t supposed to have any GOTOs. ???
The GOTO destination was SAMSUNG, a badly executed (!) PR stunt. hahahahaha
/s
People need to chill. Who doesn’t know that Apple is working on this?
Seriously, there is no problem if you’re at home or at work unless you work on totally insecure networks. If you’re forced to go to a public network, use VPN, set it for all traffic. If you’re out an about and you have to use your Mac and you’re worried that there is actually a hacker in the bushes specifically waiting for you to so he can do a man in the middle attack…
USE FREAKING CHROME WHICH IS NOT VULNERABLE.
USE FREAKING FIREFOX WHICH IS NOT VULNERABLE.
If you insist on using Safari, fine, tether your mobile phone. Honestly, the average Flash vulnerability is much worse because it’s actually likely to hit, oh, 600,000 or so people.
>>USE FREAKING CHROME WHICH IS NOT VULNERABLE.
Chrome is Google. It’s nothing but vulnerability.
Well they are both immune to being exploited with this particular vulnerability.
Chromium is not vulnerable, but any app on a Mac that uses SSL is exposed. Most of those are all the new features that hick the net directly to apps.
Pretty sure Apple fscked up ad hoc provisioning also
maybe they can subtract hoc.
Sloppy programming and code review.
I’m positive someone will be sending out resumes after this is over.
“that fixed a big problem”
A BIG problem is one where people are actually being affected. You know, like Android and Windows.
This is just a chance for alarm journalists to make some money.
Hackers aren’t going to bother with this one because by the time they finish writing their hack, Apple will not only have a fix released by then, but most people will already have the fix installed.
Again I say they will have to pry my IOS 5 and Snow Leopard from my COLD DEAD HANDS.
Apple II forever! 😉
I think a lot of people here are missing the point…
This is a flaw that is extremely easy to exploit. To answer the question of who has been affected by it… nobody knows, perhaps nobody, on the other hand, if I was a bad guy, I would be going to coffee shops and hotels and be getting all kinds of usernames and passwords without the user even knowing they were affected until sometime down the road when they may have noticed.
Here’s the problem, this information is public, but only a small fraction of the public knows about it. The people who do know about it include those who may be malicious. Those who don’t know about it (hi mom), are the same ones who SSL is supposed to protect.
So sure, someone like me who uses VPN, avoids unencrypted networks anyway and knew about the GotoFail flaw right away probably wouldn’t have an issue, but the fact remains that most of Apple’s customers don’t realize that unencrypted wifi is now even more of a significant risk, even if SSL appears to be enabled.
It’s a simple bug to fix and it seems very odd that Apple didn’t immediately fix it in OS X as they did with iOS. Now maybe there’s a reason for that, or maybe there’s more too it than just the simple bug that has been reported, but Apple’s silence on this isn’t helping matters and worse, since Apple isn’t talking, those reporting on the issue are the only ones information the very demographic that needs this.
How do you know it’s a simple bug to fix?
How do you know it’s a simple bug to fix?”
Because I looked at the code.
Given that Apple bundled this fix with 10.9.2, it now appears that was the hold-up. That was still a long time for people to go without knowing there connections were insecure despite showing that they had SSL connections.
I am not happy with Apple. If there is a significant security flaw affecting my computer (which there apparently is), then I want to hear about it from Apple and not through some random media article I have to stumble upon. Apple is quick to send me all sorts of e-mails to puff their products and sell me stuff. And now when it matters, there is nothing. NOTHING. No advice on how to protect myself. No assurance that the company is working on a fix and will notify users as soon as it’s available. This speaks to a culture of corporate arrogance which is hard to comprehend. I’ve lost a lot of respect for this company over the last 2 days.