Apple on OS X ‘GotoFail’ flaw:

“A security flaw discovered in Apple’s iOS and OS X operating systems on Friday still has not been completely fixed and Apple is remaining typically silent on the issue,” Jacqueline Sahagian writes for Wall St. Cheat Sheet.

“It’s a silence that could lead to millions of Apple users being affected by a security hole that can allow a hacker to intercept transactions on sites that are supposed to be secure,” Sahagian writes. “Apple acknowledged the flaw over the weekend and issued updates for iOS 6 and 7, but according to researchers the problem has not been solved, and there’s not yet an update for laptop and desktop computers.”

“The bug affects the secure connections used when accessing bank accounts, emails, shopping online, or any other activity that demands secure encryption. SSL/TLS stands for Secure Socket Layer and Transport Layer Security, which are the technologies used to ensure that you have a secure session in your browser when accessing sensitive information,” Sahagian writes. “‘Goto fail’ compromises that security and makes checking your bank account or making a purchase online risky, especially when using public Wi-Fi… Apple has hardly lifted a finger to notify users at all, which is only leaving the many people who use the company’s products at risk… Apple has been getting some pretty negative attention from the tech press and community due to its handling of the issue, which hopefully could persuade the company to issue some kind of statement or at least notify users that they should perform an update as soon as possible.”

Read more in the full article here.

MacDailyNews Take: Crickets.

Related articles:
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014

38 Comments

        1. We don’t have to work again either, G4, for our average AAPL price per share is 12.41, having bought the equity in 1988 and beyond. But that’s not the point here. Yes, we have made out like bandits (5700 shares now), but for those who managed to invest in–and believe in–the company during the past year and a half, the sky has fallen. True, the stock market is always little more than a crap shoot, but Tim and Company have done little lately to bolster what has clearly become a stagnant equity. (Please, no mention of buybacks or dividend offers.)

          Where are the larger iPhones? Why is no one at Apple touting the 64-bit monsters they have in their mobile devices? (They should be screaming at the top of their voices to gamers, one and all!) What’s the deal with the goto fail; how could that happen? Why the silence? Why no attack upon Google and Microsoft with an Apple search engine? Where the hell is the mobile payments network/system we’ve been hearing so much about? AppleTV? WTF? iWatch? Yeah, right.

          Our hearts, souls, and pocket books are sewn into the very fabric of Apple Inc., but remaining a true believer here is becoming the most painful experience of our lives. Right now, it appears as though Google, Microsoft, Samsung, Amazon, et al., are running rings around our beloved company . . . and I see no amelioration in the near or distant future.

          Truly, these are the times that try AAPL investors’ souls. May they last but little longer.

    1. And your advice is sound regardless of whether or not there is a “GOTO fail” issue. Using public networks for sensitive data is risky regardless of platform or OS. No OS is perfectly secure. Public networks are find for YouTube, Netflix, etc., but not banking and such.

  1. Apple is dropping the ball here. It should at least notify users not to use public wifi networks until a security update can be released. This is one of the instances where Apple’s veil of secrecy is poorly applied.

    1. I agree that it’s fairly irresponsible for Apple to continue in silence.

      However, the notion that all public wifi is insecure is not correct. Public wifi with no password required is akin to shouting your passwords out to everyone around you — it is very insecure. But public wifi (let’s call it free rather than public) that is secured with a password can protect you. It’s the “can” that is problematic: Wifi secured by WEP (older — and therefore cheaper now — access points) is easily cracked. But Wifi secured by WPA, and more so WPA2, is far more secure.

      When you are using free wifi that doesn’t require a password every user’s traffic is in the clear for everyone else on that access point.

      When you are using WPA2 security a time-based rotating key is encrypting your traffic differently than every other user so you can’t effectively decrypt their traffic.

      These vulnerabilities are exploitable only when the hacker can trick your computer into believing it is talking directly with the service (banking, or whatever) you intend to be talking with. On unprotected wifi that’s really easy to do. But when your traffic between you and the access point is encrypted, they can’t get in the middle there, and have to get more involved with the wired side of the network, which because it is more intrusive is more noticeable to anyone around them.

      I don’t use the coffee house wifi or the grocery store wifi or the bookstore wifi, unless I’m in a community where there is really poor cellular data. The reason I don’t is that any decent hacker is going to create their own wireless access point with the same SSID as the coffee house uses and the same password (since it’s usually printed on paper for every customer to see, and rarely changes!) — and it’s pretty difficult for us to be certain we are going through a benevolent wifi access point. OS X will distinguish for you (in the Wifi menu) whether or not an access point is in Ad Hoc mode (i.e. sharing it’s internet connection via Wifi), but that’s not possible if a hacker has loaded up open source access point software to run on his/her laptop.

      But if you find yourself in a position where you must use free wifi, try to limit your choice to a wifi network that has only one access point advertising their SSID. Apple’s GUI apps won’t show this, so you need to use the command line (Terminal):

      /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

      When I see more than one device advertising the same SSID, I have to decide whether to ask an employee if they have multiple access points (“Sheez dude, how would I know — I just make coffee, okay?” 🙂

            1. If you’ll notice, there is no bullet following the name of that short post… it wasn’t me. I don’t stoop to such immature behavior. You could probably tell just by the difference in length of post that I wasn’t responding to your opinion. It’s unfortunate that MDN doesn’t prevent people from posting under other (registered) people’s names.

  2. Sell the Sizzle, not the steak.

    It would seem everyone is taking this opportunity to express their shame for Apple Inc., and I fail to see how anyone is here has been directly impacted by a bug that existed long before this news broke.

    But suddenly Apple has been taken from pillar to post over a bug with real potential for damage that has yet to materialize.

    You all sound the same! Whether you’re bashing them for delaying a new gadget or getting caught up in the psychosis of pest control, You Love To Hate Apple!

    There are Marines in harms way RIGHT NOW! dodging death at every turn and you’re all embarrassed for a fucking bug?

    Semper Fi, Bitches.

  3. I’m not sure what’s worse… The flaw itself or that everyone won’t shut the hell up about it. Apple is working on fix. Harping about it constantly doesn’t help, and it makes a lot of people who don’t even understand what the flaw really is more worried than they should be.

  4. I don’t get it. If I’m connected to a known secure network (like at work), and I go to gotofail.com and it tells me my system (Mavericks, of course, and Safari) is susceptible doesn’t that mean that what wireless network I’m connect to has nothing to do with the problem?

    It’s taking so long, because they are waiting for NSA to approve the new code. You know those gov’t agencies.

    1. Correct: The wireless network you’re connected to is not the problem. Gotofail.com has carefully broken the certificates at their site. Your bank isn’t going to do that. But a hacker who can get in on your traffic to/from your bank can use the flaw to pretend to be your bank or just listen in, capturing your log in credentials for use later.

      That’s very easy to do (get in the middle) on unprotected wifi networks. Not so easy at your place of work (several assumptions about your workplace apply).

      It’s good that 10.9.2 has a fix for this flaw. But the advice pouring out about how to safely conduct oneself on the net is valid regardless — this flaw was not known about (publicly) until last week, so don’t let one’s guard down that there aren’t more or won’t be new ones that come along in updates and upgrades.

  5. So tired of all the hand wringing going on – it’s a bug. It will be fixed shortly. I have not heard of a single confirmed case of an actual person being affected by this bug aside from the hysteria in the press. Stop playing into the FUD, MDN.

  6. Until the stuff is fixed I have logged out of iCloud and am staying away tom Mail and other OS X apps with hooks in the cloud on Mac. Since iOS has been patched you can do all that on your iPad instead until pole gets off it’s ass.

    Here is a Flipboard on Security, Privacy and NSA Spying. You can read it on any browser or the excellent Flipboard app.

    http://flip.it/f29ZS

  7. 10.9.2 installed and working fine… SSL problem apparently solved.

    It’s clear they had an bundle of fixes in the wings, and needed to be as certain as possible that anything new didn’t break something else. It would have been helpful however to simply SAY that like two days ago. I appreciate the secrecy, and closed nature of the infinite loop but a simple announcement would have been a good idea with a flaw this serious.

  8. What if I have an iPhone 5 (I do) and I don’t want iOS7 (I don’t). Why won’t Apple let us install this iOS 6.1.6 on our phones ? What is your effing problem Apple ??!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.