Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible

“After Apple fixed the SSL bug in iOS, it’s unclear why three days have passed without an OS X fix after it was revealed by Reuters that the vulnerability was created by an error in a single line of code,” Ben Lovejoy reports for 9to5Mac.

“As the bug is in Apple’s SSL authentication code, it leaves a whole range of apps vulnerable, not just Safari,” Lovejoy reports. “Security researcher Ashkan Soltani (via Forbes) tested the apps installed on his own system and found that those vulnerable to the bug included Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.”

Lovejoy reports, “Some conspiracy theorists were suggesting that Apple had introduced the bug deliberately for use by the NSA…”

Read more in the full article here.

“Apple on Friday pushed out an iOS fix for the SSL/TLS bug. The concerns of the Mac community shifted to the then still-missing patch for OS X,” David Morgenstern writes for ZDNet. “An Apple spokesperson said the fix was due very soon. That “soon” didn’t arrive on the weekend. Maybe Monday.”

“Lloyd Chambers at The Mac Performance Guide said it’s continuing evidence of ‘core rot,'” Morgenstern writes. “He’s had a special report up on the subject for quite a while. Chambers says that Apple appears to have plenty of engineers for “eye candy,” as well as, for screwing up usability, but not for security and testing.”

“I suggest that Apple’s top brass and corporate culture hasn’t caught up to the demands of its new role as a market leader. A number of years ago, I noted that Apple’s software engineering team was stretched to the limit by the release cycles of Mac OS and iOS. Engineers spent their energy working on one “side” (iOS) while bugs went unfixed on the Mac side. The software engineering was stretched thin,” Morgenstern writes. “Apple’s closed system keeps most OS X and iOS users safe. And there’s still a modicum of safety from the neglect of malware writers; most phishing attacks are done for Windows users. Still, the key to Apple’s strategy is that it can always execute on its OSes and applications. If it doesn’t, then we all sink together.”

Read more in the full article here.

“Sure would be interesting to know who added that spurious line of code to the file,” John Gruber writes for Daring Fireball. “Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer.”

“Once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets ‘added’ to PRISM,” Gruber writes. “Or, maybe nothing, and this is all a coincidence.”

Read more in the full article here.

Related articles:
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014


  1. Times line these I really miss Steve Jobs, this lack of fix and lack of urgency for the one line code threatening security better not be like apple maps, which is not being fixed since Scott Forstal been fired

    1. I am shocked with so many biased comments coming from Steve Jobs worshipers…
      Come on , snap out of it. Steve was not this flawless perfection.
      He had his share of major screwups! But worshipers like u gave him all the break u could.. And now after his passing all u do do is reminies the good old times as if apple made no mistakes when jobs was there.
      Which as far from truth as anything can be.

  2. The bug was discovered in the open source version that Apple releases – there is no guarantee that the “goto fail:” bug is exactly thing Apple is fixing. I think it’s entirely possible that the “goto fail:” was introduced when Apple merged their version into the open source version. Apple maintains the open-source version does that mean they use that same version??

  3. A possible explanation would be that the “goto fail;” was HIDING ANOTHER bug that prevents some stuff from working at all. So maybe Apple has found such a second bug after they fixed the first one (this shit happens), so that bug needs to be fixed as well, otherwise they’d release a “fix” that breaks other important things.
    So much for the arm chair experts who think it’s a good idea to fix and release without testing.

  4. The whole point of the goto was to skip a block of code, probably during development because that block wasn’t finished yet. Somebody forgot to delete it or comment it out when the block was finished. Really stupid mistake, but hardly proof of a conspiracy theory. They are checking the untested code before releasing the fix.

    1. Thank you. This really should be upvoted more. If that duplicated line of code was really skipping an entire block of code, there’s a good chance said block of code was never tested at all. Do people really want Apple to rush out a fix that involves activating code that was never tested?


  5. the “bug” is effecting several Apple developed applications and is not confined to Safari.

    From another article:
    “Apple has confirmed that it will issue a software update “very soon” to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters. The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

    However, the security flaw, which has been termed “GoToFail” by security specialists due to the improperly used “goto” command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes) that Apple’s vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.

    Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

    Currently, users can check whether or not their computers are affected by the vulnerability by visiting in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.”

    1. Who’s saying “…the improperly used ”goto” command “?

      There’s nothing improper in the use of a goto statement here. Long established best practices in C hold that as long as your are not sending execution outside the current context the goto command is valid.

      That said, when I looked at the publicly available source code I would take issue with the name given to the label that is the target of the goto. It may seem a small nuance, but calling it “fail” predisposes a code reviewer to believe that the code is handling or reporting the failure. My read of the code is that it is simply cleaning up some buffers and passing the return code on back up the execution stack. As I’ve said elsewhere here, were I the person called in to check on this flaw I would be sitting down for bit longer evaluation of the code than the knee-jerk crowd is calling for.

  6. Lets see if I have this straight. The bad guys have to be on the same network as you to even be able to try this stuff. So, if I am dumb enough to use an unsecured WiFi network to transmit my banking information, provide credit card information, etc., my information could be captured by an unscrupulous individual lurking on the same WiFi network. I know, I know, there are a lot of people that do this all the time (use unsecured WiFi to do business) but, “Stupid is as Stupid does.” Don’t do it, you don’t have a problem?

  7. Given the intensity of Apple’s code inspection and testing, I am surprised that simple text search for duplicate lines and standard known attack methods and scans are not routinely used in a methodical way.

    Sounds like an upgrade in Apple’s internal testing is going on right now.

    1. Xcode provides warnings for code that is unreachable. Xcode provides a code analysis mode that shows execution path in very graphical ways.

      This mistake has shown a hole to exist in the process being used, and you can bet a lot of money that the process is under review… “How did this happen?”

      And until “How did this happen?” is answered and fixed, there’s not a great deal of certainty that any quick fixes wouldn’t also fall prey to an inadequate release process.

    1. Apple, in the past, has been slow because they have been thorough.

      They are being slow now for the same reason. However, this exploit came about because they have not been as thorough in the last couple of years as before. And some of the reason for that, as has been noted by others, is probably due to the compromised nature of the relationship Apple allowed to develop with the NSA.

      This backdoor was not a mistake. It was intentional, but it’s rather crude implementation indicates it was not vetted all the way up the chain. More than likely it was a relatively low level engineer who did it at the NSA’s behest, after some resistance by Apple leadership to compromise security features any further. Don’t underestimate the blowback that the company – all companies – are receiving because of the Snowdon revelations. Many silicon valley corporations are rediscovering their old time libertarian religion. Perhaps too little/too late to roll everything back, but enough to make NSA so uncomfortable with the sudden lack of cooperation, that they are trying to get the access they want through the men and women doing the actual coding now, as opposed to from on high. After over a decade of flouting every meaningful restriction on their behavior successfully, they feel entitled to continue now, and are panicking enough to take roads lower and lower in order to get what they want.

      At root, this situation is indicative of just how much of a mess cooperating – with nary a peep to the public – with these illegal and unconstitutional, as well as technically unsound, security services requests was and is.

      NSA & the certain other organizations & individuals within government are simply being the megalomaniacs our founding fathers feared an all powerful government would allow them to be. It is Apple, and every other company who let things get this far, that shoulder the lion’s share of the responsibility for bringing us all down. They compromised not only their own products, but the very nature of a society and internet that made their success – their very existence – possible.

      Keep up the pressure people. Jobs understood what was at stake, at least at first. The people running Apple now are not saints, and they need to be constantly reminded who they work for.

      1. Say what? Somehow the NSA got through to some low level engineer? That’s utter crap. And to think that if Apple were doing this from a high level directed down to some low-level engineer and then published in the open this flaw for all to see… just stretches incredulity beyond the breaking point.

        1. “Say what?” … if you don’t think the NSA would pay someone off to get some backdoor access, then you aren’t thinking. Plus he specifically said it DID NOT come from a high level, that there is more resistance there now, which is why they would try to use someone on the inside doing the coding. See how that works? Nothing incredible about it, especially after documents proving the NSA is even compromising hardware at this stage, sometimes from the factory, using the same methods, other times intercepted as it’s being shipped to the customer.

          The only thing stretched to the breaking point here is my ability to comprehend the stupidity of people who STILL reflexively believe – against all evidence – that this stuff just doesn’t happen in the good ‘ol USA! Talk about utter crap … for grey matter that is.

  8. Why does the headline make it sound like all OS X versions have the problem? With all these “accurate reports” flying around the web, I don’t recall seeing any reporter state this basically affects 10.9. Or did I miss out on more details along the way? 10.6.8 and 10.7.5 are just fine.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.