Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’

Kristin Paget, former Apple security engineer, has posted the following via Kristin Paget’s Blog:

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.

FIX. YOUR. SHIT.

Soon.

Please?

Love and hugs as always,

Me <3

Source Kristin Paget’s Blog

MacDailyNews Take: No arguments here.

Dear Apple,

Every second that passes without a fix that removes one line of code just makes you look that much more incompetent.

1. Highlight second “goto fail;” and press “delete” key
2. Release security update
3. There is no step 3.

Insecurely yours,

MacDailyNews

Even if the fix is more involved than our humorous example above, this has already taken too long. Ever get the feeling that of Apple’s 80,000 employees, only about 5 are actually allowed to do any of the real work? Why does the world’s most valuable company always seem to be stretched too thin?

Related articles:
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014

47 Comments

  1. Releasing the OSX and iOS update at once would have been a MUCH better idea. Few knew about this until the iOS update came out. From what I understand though, an attack on a mac is far less likely unless you carry your macbook around and connect to third party wifi

      1. not me, I do on my iPhone but the only networks I connect to on my macbook are known local networks. I’m Australian though, so our open wifi networks are probably far more scarce than in the civilized world

      2. Am I really that concerned with some hacker who knows enough to exploit this sitting at my local Starbucks? Not really. There’s plenty of clear text stuff being sent to http as opposed to https sites being sent to keep them busy. Sure I want it fixed but I’d be a lot more concerned with running any Android app that this one.

    1. Yes, it is true about unknown WiFi networks and The MacBooks. What I have not heard yet is how the Xcode can compile the stripped down iOS but not compile the OS X. This looks incompetent. However, if Android or Windows have full blown press reports for every hole in their OS, no other news would ever have time to be aired!

    1. As MacDailyNews laid out in such bitingly concise fashion:

      1. Highlight second “goto fail;” and press “delete” key
      2. Release security update
      3. There is no step 3.

      1. And 3 days later: “Ooops, we found a second instance in the 1 million lines of code. Please download OS X 10.9.3.”

        Or: “Ooops, removing that line dumped you into an untested SSL authentication routine that didn’t work either. And although we know that it killed your secure email entirely, please bear with us as we dig ourselves a deeper hole.”

        Or: “OK, here’s OS X 10.9.2. Sorry it took a few extra days, but there were a lot more lines of code to scan and functions to test. We’re sure it’s good now.”

      2. Unless, of course, testing after Step 1. in the above process uncovers some previously unknown bug.

        The second “GoTo” circumvents a fair amount of code. Because of the second “GoTo” this previously circumvented code has never been effectively tested.

        People seem to think the Mac OS and iOS code bases are the same. They are not. Additionally, people run internet servers with Mac OS. People do not run servers with iOS. Thus for this and the above stated reason we should all expect Apple to do a bit more testing on Mac OS before release of the fix than the did on iOS.

        HOWEVER, Apple does need to get a fix out ASAP. Several more days is NOT an option.

        1. It is very frustrating and puzzling. But I’ll give Apple the benefit of the doubt. They have a pretty good track record regarding such problems. Must be more than meets the eye?

      3. Here’s the thing, Lex: Xcode issues warnings when code is not reachable — so this is more about a coding and oversight process not working than it is about a single line of code. An engineer owned that code, and s/he made a pretty serious mistake, one which the code review process didn’t catch and which the QA process didn’t catch. Is all of this starting to sound like more than simple “Highlight second goto fail and delete” issue? Ask yourself a basic question: You trusted the engineer, the code review process and the QA team prior to this — do you still trust them now?

        You shouldn’t. Therefore, you call in other engineers, generally with more experience or more seasoning. They have to get to know the code, which takes time. While that’s going on you get other folks reviewing the QA test matrix that didn’t catch before the public noticed.

        iOS 7.0.6 was issued, we think, with this fix. Most probably done via the “highlight code and delete” method. The risk of the code change having adverse effects was deemed to be less than the risk of letting several hundred million iOS devices remain unpatched while the public (read bad boys) were made aware and creating exploit kits to sell to kids in coffee houses with free wifi.

        OS X is both smaller in number and used very differently (read critical uses) and so management is taking the time to evaluate and overhaul the processes that allowed this to happen in the first place.

      4. Since it’s open source, maybe it’ll turn out it’s just removing one line of code and that’s it. But the same people complaining about this bug are saying “how could Apple have not tested this code”? Well, maybe they are testing the code they are about to release. iOS and Mac OS X are similar, but the Mac is far more complicated on a device. It’s easy to sit on the outside and presume incompetence or malice. After the black eye this has given them, do you think they want to get it right or not? If they release something untested, it will only worsen the situation.

  2. Oh, as far as a fix is concerned for OS X, as far as I’ve seen this issue only affects Safari, so anyone concerned in the meantime should just use another browser, like Chrome or Firefox.
    I’ll bet most Mac users already use multiple browsers, I certainly do, so there’s not to much of a hardship here.

  3. This is what happens when people who don’t know crap about software engineering start writing articles about how companies like Apple ought to do their software engineering.

    Yeah, it sounds like all that Apple has to do is delete a single GOTO. Sounds pretty easy, right? What these non-software-engineering types don’t realize is that the GOTO statement in question was skipping over a lot of code that wasn’t executing before. Who knows if it even works? Indeed, the presence of the GOTO may, in fact, indicate that the code *doesn’t* work. Perhaps Apple needs a little time to check out that code and verify that it actually *does* work properly before promulgating yet another defect on to us.

    Microsoft would have deleted the GOTO and shipped. Apple is showing some wise restraint here.

      1. And yet, Kristin Paget posts crap like this.
        Hmm, wonder why s/he no longer works at Apple?
        If s/he were responsible for this section of code, do you think that s/he would have simply deleted the GOTO without first checking to see what effect that would have on the rest of Apple’s software? To me, the blog post really smells of sour grapes.

      2. Seriously?! She makes a good point that is very reasonable, and your response is some transphobic bullshit?
        If you disagree with her argument, than point why the _argument_ is flawed. Attacking her gender identity shows that you are a childish bully.

        1. I find your reply to Brutal Truth to be out of order, Brutal Truth NEVER attacked “her gender identity”, in-fact Brutal Truth’s bon mot comment gave me a deeper appreciation into Kristin Paget’s background.

          Understanding a persons background / milieu can be a valuable insight into understanding their bearings and opinions on a subject – and how those thoughts are expressed.

          Brutal Truth was expressing solidarity with Kristin Paget!

          Why do folk jump to the wrong conclusions so often? I think it’s the typical … shoot first, ask questions later.

          Engage the brain .. deliberate, consider and then articulate.

  4. Yes because it’s so simple and Apple employees are just sitting their with their thumbs up their asses. Btw, according to Apple Insider some are already testing 10.9.2 and the issue is fixed. I wouldn’t be surprised if it gets released today or tomorrow.

  5. With all due respect to the MDN’s coding prowess, do you think that maybe, *possibly* there might be a little bit more involved than deleting one line of code? Outside chance?

    Maybe I’m naive, but I tend to give Apple a little more credit than that given by others – even former employees.

    1. Oh come on. We all know that OS X only has, at most, 357 lines of code. The problem clearly is that the guy with the delete key forgot to send the new Mavericks code to the guy who prepares software update downloads. Sheesh. Let them get back from the cafeteria, and all will be done.

  6. I’m not sure why Paget is so bent out of shape, as “former Apple security engineer” didn’t this bug crop up during Paget’s watch?
    (Paget is shocked, shocked to learn of bugs in security code)

  7. I’d rather they take their time and release a solid patch then pull the trigger too soon and release a patch that is broken or causes other problems

    Code changes sound easy but sometimes what sounds easy in software can end up being a good chunk of work!

    1. That’s all well and good, but the problem is that they’ve also said nothing and notified no one that there is a problem, except after they were caught not saying anything and not telling anybody. That’s very very bad/naughty.

  8. Because the bad goto skipped a big block of code (the block that was supposed to do the checking) that block hasn’t actually been tested yet. Just deleting the goto may not fix the problem if there is something wrong with the untested code. I assume they are moving as fast as prudent quality assurance allows. The mistake itself was inexcusable, so they don’t want to repeat the error!

  9. Unbelievable that people would vote comments like this down. Do people really want Apple to release code as quickly as possible without checking for unintended side effects?

    1. I think because the world is rarely the way people would prefer it to be they take their frustration out in largely non-harmful manners like down-voting (anonymously) anonymous posts by others.

      If I were a software engineering manager at Apple and it was my employee who made this mistake, I would have teams reviewing all of that employee’s work — because I sure would expect my senior manager or director to be asking me if I have reviewed all of that employee’s work.

      The delay with the OS X patch is starting to feel like the iOS 7.0.6 release has uncovered other problems that “highlight and delete” didn’t fix — and Apple has taken their foot off the knee-jerk reaction pedal and is rededicating their release teams to doing this right.

  10. This does look bad for Apple, however not all of this stuff is true. What “security researchers” say and what actually happens in the real world are two completely different things.

    Remember this: has anyone actually heard of someone being hacked by this explot? I haven’t.

    If you are using your Mac or even iOS on an untrusted “free” public wifi to do things that require a high degree of security you are an idiot. Switch to a slower to cell data when doing this kind of stuff. (And I know that option isn’t always available. Remember free is rarely free).

  11. MAYBE Apple’;s delay is because they are also going to fix Mavericks’ SMTP connection issues as well as this one. NEITHER one should have been in the original release. After 5 40+ minutes sessions with apple support, 2 uploads of data from my computer to “engineering” and 2 visits to the “genius bar” they claimed the issue, absurdly, as the version of SSL my provider uses. Interestingly the same version of SSL at my providers works for receiving emails, just not for sending. I and my provider both know that this is utter baloney.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.