Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism

“After a very long four days of snowballing criticism by the security community, Apple has fixed the critical security flaw in its software dubbed “gotofail,” which threatened to allow any untrusted network to disable the encryption on users’ communications,” Andy Greenberg reports for Forbes.

“A description of the update on Apple’s website makes no mention of the security problem it fixes, instead focusing on updated features of Apple software like Facetime and iMessage. But an email from Apple spokesperson Ryan James adds that the updates also ‘address the recent SSL encryption issue for both Mavericks and Mountain Lion,'” Greenberg reports. “Apple had taken flak for exposing the critical vulnerability in its own software–which potentially affected Mail, Facetime, iMessage, Software Update and more–and then having no fix immediately available.”

“‘Come the hell on, Apple,’ wrote one former Apple security engineer in a strongly-worded blog post. ‘You just dropped an ugly [zero-day vulnerability] on us and then went home for the weekend – goto fail indeed,'” Greenberg reports. “Despite the growing backlash, Apple issued no warning to users about the flaw in OSX [sic], leaving them to search for workarounds and unofficial patches. Its patch will be a welcome relief to millions of worried users. But the anger from four days of waiting for it with no word from Apple may take longer than four days to dissipate.”

Read more in the full article here.

Related articles:
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014

52 Comments

    1. As I explain below, exploits of the SSL flaw were actually discovered two weeks ago. Even so, that’s not a bad response time.

      What I don’t like is Apple’s poor coding techniques, which can be contributed to causing the problem.

      1. “Apple’s poor coding techniques” look to me more like an unauthorized shortcut that somebody took in coding the original version. I predict that someone will be looking for a new job due to unauthorized methods in testing, and/or coding. There’s no way this would not have been caught in standard regression testing unless somebody fudged on the process.

    1. The Windows installation to which you seem to be referring did not cripple an entire fleet. It was just one ship. However, it was catastrophic enough that the ship could not move under its own power and had to be towed back to port where they did a complete overhaul of the entire network — hardware and software (but still a Windows variant). Having to be towed back to port is catastrophic enough.

      1. And then there are all to catastrophic Windows Server credit card breaches over the last 10 years. Every time I hear of one of these where millions of credit cards are exposed to fraud I research what OS and machine type it occurred on, always Windows.

  1. Not to worry
    “New iOS flaw makes devices susceptible to covert keylogging, researchers say”
    http://arstechnica.com/security/2014/02/new-ios-flaw-makes-devices-susceptible-to-covert-keylogging-researchers-say/

    “Researchers said they have identified a flaw in Apple’s iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control…”

    This is what happens when a stylist (Ive) is in charge of software- style over substance.

    1. The vulnerability you mention has been in iOS since as far back as version 6.0.1 — maybe further. Some postulate that it was introduced in some form in the first iOS variant that allowed true multitasking (with multiple applications running in the background)..

      This has ABSOLUTELY NOTHING to do with Ive being in charge.

      Additionally, no matter what you read elsewhere, this has absolutely nothing to do with TouchID other than possibly being able to record the number of times you use TouchID. The vulnerability simply cannot gain access to your fingerprint(s) or the algorithms used to validate them.

      Further, this vulnerability is not in the wild. There has been absolutely zero documented cases of it being in the wild.

      Is it a real vulnerability in iOS/ Absolutely. Is it something to cause a modicum of concern? Yes. Is it something to worry about? NO. Is it any reason to not buy an iPhone or stop using your iPhone? Absolutely not.

    2. I may be mistaken, but doesn’t this so called vulnerability have to be introduced through a compromised App?
      Let’s see, develop an App, get it through the Apple vetting process, make it popular enough that many want to download it and “poof” you can log all their keystrokes. Piece of cake!

  2. It’s good that Apple moves at it’s own pace making lots of money and not responding to hysteria. It allows pundits to share the wealth by generating ad clicks with drivel overblowing everything. Chicken Little would be proud. Even MDN piles on when it can to get a few more pennies per click.
    Capitalism at work.

  3. Wow. Do we have any reported cases of folks actually having their systems compromised? I haven’t seen a single one… So, perhaps this was a real issue, but one that would be so rare that no one was actually affected?

    1. Somehow I doubt you did any research to see who was affected. It’s not as though those who were vulnerable would advertise the fact. Reality is, many companies had to scramble to protect themselves while Apple twaddled along without any guidance for its users. Then the software patch description didn’t even discuss the SSL security hole. VERY poor communication on Apple’s part. We should expect far better product quality, responsiveness, and communication.

      1. BS… no one had to jump through hoops, the problem was greatly exaggerated again.. I am willing to bet that no one outside of the few so called security experts could even implement what was needed to exploit the flaw.

      2. I did the same research as you – I read all the Apple sites daily. I am sure that everyone was vulnerable. But the conditions needed for the attack to be successful were fairly narrow – and the victim would have to be exposed to the attacker to begin with, making the exploit even less likely to happen in reality. Let’s try to compare this to reality – like the hack of Target credit cards. That was a real vulnerability for a great number of folks.

      3. I did look for any actual cases, and found NO RESULTS! Guess no one must have been using the same networks as all those “bad guys” the so called security experts were blabbering about, you know, the Boogeymen just waiting for us poor simple minded Apple people to fall into their clutches.

            1. known IE10 fault.
              This is a quote from one of the Microsoft Honchos.“It would seem like it’s still in the limited-attack category,” said Storms in an interview conducted using a messaging app. “So until that heats up, I don’t see them rushing to push an out-of-band fix.”

              Microsoft has said it is working on a patch for the IE vulnerability, but offered nothing about a timetable. The next regularly-scheduled Patch Tuesday is three weeks away, on March 11.

  4. Microsoft sends in fixes every week. They started 12 years ago and they are still going strong.

    Apple sends fixes 2 or 3 times a year.

    Come on Apple, be more like Microsoft.

    s/

  5. In the past six weeks, patches have been issued by Oracle, Microsoft, and Adobe to fix zero-day menaces that have already claimed victims. I didn’t see 72 point scare headlines surrounding those. The shameless must drape their mirrors.

  6. Wait someone discovered it on Thursday, people bitch about it over the weekend and Tuesday Apple fixed it. What’s the problem? So Apple should employ people over the weekend on an issue they can easily fix in 5 minutes. But Knowing Apple they had a Incremental update planned and rolled it into it. And People Bitch and bitch. Really? It’s not like Apple is Microshit that they have to patch 15 bugs and take 6 months to do it(Windows 8.1?). But 4(FOUR) days and people complain. Geez.

    1. Actually, Dan Goodin at ArsTechnica was talking about three exploits in the wild regarding what turned out to be this SSL security flaw about two weeks ago. IOW: This was already a known security hole by the hackers at least that long ago.

      1. I must also point out that the SSL security flaw can be partially attributed to POOR coding techniques over at Apple. The ‘GOTO’ statement that was reported to be the source of the problem should never have been used in the first place.

        There’s going to be noise about Apple’s poor coding techniques, specific to using GOTO statements, over the next few months.

        And please don’t bother flaming me about GOTO. I made the point. It’s over.

        1. Excuse me, but GOTO is a perfectly valid statement to use in C when you are not going outside the local environment. Years ago I had a programming instructor who insisted that we could not use GOTO at all. It, and he, both proved to be pains in the ass.

          1. ‘pains in the ass’! LOL!

            My professor was a very nice fellow. HOWEVER, I had another professor who had a very odd point of view about some aspects of modern programming. He considered frameworks to be ‘a failure. They never work.’ And of course he was quite wrong.

            I guess one takeaway message is that even though coding is considered ‘engineering’, in includes vast aspects of human behavior. That’s one reason another of my professors told all of us we were crazy to want to study software project management. The people factor is highly unpredictable.

            1. The only verity is that ‘never’ never prevails. As an aspirational species, one so desirous of certainty that we dare to invent gods, our own hubris overtakes and defeats us in our pursuit of exactitude, unswerving law, unforgiving principle, ownership of all that’s holy and then some.

              That’s what I witness, and personally I choose to assume a humbler position in the face of a magnificence more cruel and inattentive to our primitive needs than we take the time to notice.

  7. Wasn’t the “bug” caused by a type-o in code? That’s scares me more, that no one proofed or caught it, than the length of time it took to fix… Detail was always an Apple staple.

            1. I try. I prefer to keep it as simple, direct and humorous as possible. David Pogue was one of my heroes.

              But I have to fight my use of strange syntax, crap spelling and typos. I’m not a natural writer. But I’ve worked at it in order to get what’s in my head onto ‘paper’ in order to hopefully help and amuse folks. Similarly, I’ve become rather good at giving public talks as well.

            2. I’d like to put in a good word… You’re better than Pogue, because you allow your personality into the arena, no face paint, no safety net. Also you don’t squander everyone’s precious time pretending to be fair and balanced, as journalists are sworn to do even at the cost of garroting truth and dumping the body in an alley somewhere. And finally, you don’t let your natural male narcissism get in the way of helping people, the way most of the rest do.

            3. Hmm. I’m not too good at self-reflection. I derailed my narcism in a big way at 13. I am a default chameleon of sorts in that I passively pick up on the people around me. I studied acting, especially improvisation, as a teen, which allowed me to overcome fear of audiences. I’m a huge fan of the confrontational and interactive aspects of the Italian Futurist art movement (but not its love of war and fascism). Sprinkle in my experience dealing with trolls on the Usenet news groups in the 1990s. Mix thoroughly then add a dollop of my angry Scottish heritage and you get the persona I generally use on the Internet.

              The persona is very deliberate. It does indeed free me from having to play at ‘fair and balanced’ journalistic approaches. I get to write out my opinions as they are. I’m not paid for any of it and have no worry about some future boss getting upset about it as I am independent.

              As the oldest son of four, I have over-responsibility syndrome and can’t help but help people. I’m well trained and oriented to that approach in my work.

              Off Internet, I work harder at the fair & balanced because I’m not in a scenario professing and defending all things Apple. I’ve worked for several years with the local PC user group (yes PC as in Windows) because I can contribute knowledge and teaching that is applicable to any computer user. I have a pile of friends who are Windows oriented. I only go Apple maniacal when the occasion calls for it and I have someone interested in hearing my bletherfest on the subject.

              There’s a brain dump, for anyone interested.

  8. Apple moves at its own pace to correctly fix things and not create new problems. There is no magic wand that does this. Millions of lines of code must be sorted out even if only one line is wrong. Plus they added a ton more fixes and enhancements with 10.9.2.

    1. 10.9.2 was actually ready to go last week, at least from a beta tester’s POV. I expect Apple held back 10.9.2 over the last couple weeks specifically to address the SSL flaw. In any case, I think the timing worked out rather nicely.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.