“After a very long four days of snowballing criticism by the security community, Apple has fixed the critical security flaw in its software dubbed “gotofail,” which threatened to allow any untrusted network to disable the encryption on users’ communications,” Andy Greenberg reports for Forbes.
“A description of the update on Apple’s website makes no mention of the security problem it fixes, instead focusing on updated features of Apple software like Facetime and iMessage. But an email from Apple spokesperson Ryan James adds that the updates also ‘address the recent SSL encryption issue for both Mavericks and Mountain Lion,'” Greenberg reports. “Apple had taken flak for exposing the critical vulnerability in its own software–which potentially affected Mail, Facetime, iMessage, Software Update and more–and then having no fix immediately available.”
“‘Come the hell on, Apple,’ wrote one former Apple security engineer in a strongly-worded blog post. ‘You just dropped an ugly [zero-day vulnerability] on us and then went home for the weekend – goto fail indeed,'” Greenberg reports. “Despite the growing backlash, Apple issued no warning to users about the flaw in OSX [sic], leaving them to search for workarounds and unofficial patches. Its patch will be a welcome relief to millions of worried users. But the anger from four days of waiting for it with no word from Apple may take longer than four days to dissipate.”
Read more in the full article here.
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014