Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism

“After a very long four days of snowballing criticism by the security community, Apple has fixed the critical security flaw in its software dubbed “gotofail,” which threatened to allow any untrusted network to disable the encryption on users’ communications,” Andy Greenberg reports for Forbes.

“A description of the update on Apple’s website makes no mention of the security problem it fixes, instead focusing on updated features of Apple software like Facetime and iMessage. But an email from Apple spokesperson Ryan James adds that the updates also ‘address the recent SSL encryption issue for both Mavericks and Mountain Lion,'” Greenberg reports. “Apple had taken flak for exposing the critical vulnerability in its own software–which potentially affected Mail, Facetime, iMessage, Software Update and more–and then having no fix immediately available.”

“‘Come the hell on, Apple,’ wrote one former Apple security engineer in a strongly-worded blog post. ‘You just dropped an ugly [zero-day vulnerability] on us and then went home for the weekend – goto fail indeed,'” Greenberg reports. “Despite the growing backlash, Apple issued no warning to users about the flaw in OSX [sic], leaving them to search for workarounds and unofficial patches. Its patch will be a welcome relief to millions of worried users. But the anger from four days of waiting for it with no word from Apple may take longer than four days to dissipate.”

Read more in the full article here.

Related articles:
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014


    1. As I explain below, exploits of the SSL flaw were actually discovered two weeks ago. Even so, that’s not a bad response time.

      What I don’t like is Apple’s poor coding techniques, which can be contributed to causing the problem.

      1. “Apple’s poor coding techniques” look to me more like an unauthorized shortcut that somebody took in coding the original version. I predict that someone will be looking for a new job due to unauthorized methods in testing, and/or coding. There’s no way this would not have been caught in standard regression testing unless somebody fudged on the process.

    1. The Windows installation to which you seem to be referring did not cripple an entire fleet. It was just one ship. However, it was catastrophic enough that the ship could not move under its own power and had to be towed back to port where they did a complete overhaul of the entire network — hardware and software (but still a Windows variant). Having to be towed back to port is catastrophic enough.

      1. And then there are all to catastrophic Windows Server credit card breaches over the last 10 years. Every time I hear of one of these where millions of credit cards are exposed to fraud I research what OS and machine type it occurred on, always Windows.

  1. Not to worry
    “New iOS flaw makes devices susceptible to covert keylogging, researchers say”

    “Researchers said they have identified a flaw in Apple’s iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control…”

    This is what happens when a stylist (Ive) is in charge of software- style over substance.

    1. The vulnerability you mention has been in iOS since as far back as version 6.0.1 — maybe further. Some postulate that it was introduced in some form in the first iOS variant that allowed true multitasking (with multiple applications running in the background)..

      This has ABSOLUTELY NOTHING to do with Ive being in charge.

      Additionally, no matter what you read elsewhere, this has absolutely nothing to do with TouchID other than possibly being able to record the number of times you use TouchID. The vulnerability simply cannot gain access to your fingerprint(s) or the algorithms used to validate them.

      Further, this vulnerability is not in the wild. There has been absolutely zero documented cases of it being in the wild.

      Is it a real vulnerability in iOS/ Absolutely. Is it something to cause a modicum of concern? Yes. Is it something to worry about? NO. Is it any reason to not buy an iPhone or stop using your iPhone? Absolutely not.

    2. I may be mistaken, but doesn’t this so called vulnerability have to be introduced through a compromised App?
      Let’s see, develop an App, get it through the Apple vetting process, make it popular enough that many want to download it and “poof” you can log all their keystrokes. Piece of cake!

  2. It’s good that Apple moves at it’s own pace making lots of money and not responding to hysteria. It allows pundits to share the wealth by generating ad clicks with drivel overblowing everything. Chicken Little would be proud. Even MDN piles on when it can to get a few more pennies per click.
    Capitalism at work.

  3. Wow. Do we have any reported cases of folks actually having their systems compromised? I haven’t seen a single one… So, perhaps this was a real issue, but one that would be so rare that no one was actually affected?

    1. Somehow I doubt you did any research to see who was affected. It’s not as though those who were vulnerable would advertise the fact. Reality is, many companies had to scramble to protect themselves while Apple twaddled along without any guidance for its users. Then the software patch description didn’t even discuss the SSL security hole. VERY poor communication on Apple’s part. We should expect far better product quality, responsiveness, and communication.

      1. BS… no one had to jump through hoops, the problem was greatly exaggerated again.. I am willing to bet that no one outside of the few so called security experts could even implement what was needed to exploit the flaw.

      2. I did the same research as you – I read all the Apple sites daily. I am sure that everyone was vulnerable. But the conditions needed for the attack to be successful were fairly narrow – and the victim would have to be exposed to the attacker to begin with, making the exploit even less likely to happen in reality. Let’s try to compare this to reality – like the hack of Target credit cards. That was a real vulnerability for a great number of folks.

      3. I did look for any actual cases, and found NO RESULTS! Guess no one must have been using the same networks as all those “bad guys” the so called security experts were blabbering about, you know, the Boogeymen just waiting for us poor simple minded Apple people to fall into their clutches.

            1. known IE10 fault.
              This is a quote from one of the Microsoft Honchos.“It would seem like it’s still in the limited-attack category,” said Storms in an interview conducted using a messaging app. “So until that heats up, I don’t see them rushing to push an out-of-band fix.”

              Microsoft has said it is working on a patch for the IE vulnerability, but offered nothing about a timetable. The next regularly-scheduled Patch Tuesday is three weeks away, on March 11.

  4. Microsoft sends in fixes every week. They started 12 years ago and they are still going strong.

    Apple sends fixes 2 or 3 times a year.

    Come on Apple, be more like Microsoft.


  5. In the past six weeks, patches have been issued by Oracle, Microsoft, and Adobe to fix zero-day menaces that have already claimed victims. I didn’t see 72 point scare headlines surrounding those. The shameless must drape their mirrors.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.