Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,523
30,817



Apple has confirmed that it will issue a software update "very soon" to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters. The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

However, the security flaw, which has been termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes) that Apple's vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.

gotofail_list_of_apps-800x216.png
A list of apps deemed vulnerable to the SSL bug found in OS X and iOS by security researcher Ashkan Soltani
Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

Currently, users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.

Article Link: Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected
 
Article Link
https://www.macrumors.com/2014/02/23/apple-fixing-ssl-bug-other-apps-affected/
Rogifan

Rogifan

macrumors Penryn
Nov 14, 2011
24,135
31,184
So did the software release on Friday fix everything or just Safari?
 
furi0usbee

furi0usbee

macrumors 68000
Jul 11, 2008
1,790
1,382
If Apple (and all companies) don't work with independent, third party security firms, this is one reason why they should. Increasingly we are putting our most private information in the cloud and transmitting it daily. Apple needs to step up and have their systems/software tested/hacked by firms which they hire so these issues can be found out before mass release. Some of the stuff that has gotten by Apple in the past was pretty crazy how it wasn't caught. Some stuff has little impact in day to day use. This one is big however.
 
C

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,390
19,458
gotluck said:
I believe 7.0.6 fixed all issues for ios related to the ssl bug
Click to expand...
Hopefully along with OS X they'll release an update for iOS 7.1 beta and I guess OS X 10.9.2 beta as well to get them in line with this rather bad and important security fix.
 
C

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,390
19,458
SantaFeNM said:
My definition of "very soon," and Apple's definition of "very soon," are very different. :(
Click to expand...
What would be your definition of very soon given that the news of this came out mid-day Friday or so?
 
AstronomyiPhone

AstronomyiPhone

macrumors regular
Jun 9, 2013
156
6
Maryland
GoToFail.com actually exists.
Nice.
...
Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...
 
iSRS

iSRS

macrumors 6502
Mar 2, 2010
468
291
Rogifan said:
Thanks. Mods, perhaps the article should be updated to make that clear.
Click to expand...

I think the issue was these apps all use the same SSL certs and now that is all fixed.

A serious question. Is the true threat as serious as some are making it? Wouldn't the "evil-doer" need to be on the same wifi network?
 
SantaFeNM

SantaFeNM

macrumors regular
Oct 13, 2012
150
210
Santa Fe, NM
C DM said:
What would be your definition of very soon given that the news of this came out mid-day Friday or so?
Click to expand...

In line with the release of the iOS update. That would be "very soon".

Apple has done a poor job of getting the word out about this vulnerability and what their customers should have been, and should be doing while waiting for the patch.

I've notified a dozen or so people I know that use iOS devices or Macs, and none of them knew about the bug, let alone that they should be avoiding public wifi. Apple could have communicated with their customers much better on this.
 
Rogifan

Rogifan

macrumors Penryn
Nov 14, 2011
24,135
31,184
AstronomyiPhone said:
GoToFail.com actually exists.
Nice.
...
Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...
Click to expand...

More page views for MR. ;)
 
charlituna

charlituna

macrumors G3
Jun 11, 2008
9,636
816
Los Angeles, CA
sparkles3020 said:
I wonder if *very soon* has been worked on over the weekend?
Click to expand...

We may have an answer to that tomorrow.

What I find interesting is that the first mentions of this huge failure come AFTER Apple released the fix. Where are the tales of the actual attacks, where are the tales going on for weeks and months about how some security expert find this bug without being told to go look at the SSL coding and Apple did nothing for ages
 
T

Tech198

Cancelled
Mar 21, 2011
15,915
2,151
What a surprise...

Only a day later AFTER iOS update with the SAME problem...

Most apple people will tell me "It's just a coincidence.." that they waited this long in the first place...

Obviously, Apple doesn't care about security..

They think they do, otherwise this SSL issue would have been right at the top of the list.... against all other "features" that SHOULD come after security, not before or in-between.

I would have fixed this the moment i heard about it...

What else can go wrong ?

With Apple, anything goes :) .. Next up: Macs are not as secure as Apple thought.
 
C

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,390
19,458
gotluck said:
There's a fix on cydia for jailbreakers on ios 6-7.1b3 :)
Click to expand...
That's certainly good. Doesn't help much for those who are running the latest iOS 7.1 beta (even not on their main devices) or running iOS 6 on iPhone 4 or 4S or 5 and don't want to go to iOS 7 or jailbreak.
 
ArtOfWarfare

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,560
6,059
MacRumors said:
termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it
Click to expand...

I'm a little interested how they know that it's goto and not some thing else… does goto actually have a one-to-one mapping with something in x86? (I guess it would be jump? But there's plenty of other things that would use jump too, I would think? Function calls would have jump-and-link, while and for would have some kind of conditional jumps… is goto really the only thing that translates directly to jump? I'm surprised Apple doesn't have a static analyzer that automatically rejects code using a goto…)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom