Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 23, 2014, 09:18 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected




Apple has confirmed that it will issue a software update "very soon" to patch the security flaw found in OS X that allows attackers to capture or modify data protected by the SSL/TLS protocols in Safari, reports Reuters. The vulnerability of OS X to the bug was detailed by security firm CrowdStrike and a Google engineer last Friday, and came right after Apple released iOS 7.0.6 to fix the SSL-related issues on iOS.

However, the security flaw, which has been termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it, may be affecting more than just Safari. Independent privacy researcher Ashkan Soltani has pointed out on his Twitter (via Forbes) that Apple's vulnerable SSL library is also used by apps including FaceTime, iMessage, Twitter, Calendar, Keynote, Mail, iBooks, Software Update, and more.

A list of apps deemed vulnerable to the SSL bug found in OS X and iOS by security researcher Ashkan Soltani
Soltani does point out that apps such as iMessage and FaceTime have addded security measures that weaken the effects of the security flaw, but also added that the initial iCloud login used to authenticate such apps may also be compromised. The researcher states that other parts of the protocol such as the handshake between a service and a device are vulnerable to an attack as well, and will need to be secured by Apple.

Currently, users can check whether or not their computers are affected by the vulnerability by visiting gotofail.com in Safari. As users wait for a fix to the flaw, CrowdStrike recommends avoiding untrusted and unsecured WiFi networks while traveling. The site also recommends that users update to iOS 7.0.6 if they have not yet installed it on their iOS devices.

Article Link: Apple Planning Fix for OS X SSL Bug as New Research Reveals iMessage, Other Apps Affected
MacRumors is offline   0 Reply With Quote
Old Feb 23, 2014, 09:19 PM   #2
joshwenke
macrumors member
 
Join Date: Mar 2011
Location: San Jose, CA
Send a message via Yahoo to joshwenke Send a message via Skype™ to joshwenke
At least they're fixing it! Look on the bright side :P
joshwenke is offline   3 Reply With Quote
Old Feb 23, 2014, 09:21 PM   #3
Sky Blue
Guest
 
Join Date: Jan 2005
i hope this is a separate security release, and not only available in 10.9.2.
Sky Blue is offline   6 Reply With Quote
Old Feb 23, 2014, 09:22 PM   #4
yjchua95
macrumors 68020
 
Join Date: Apr 2011
Location: Queenstown, NZ and Melbourne, VIC, Australia (formerly KL, Malaysia)
Send a message via Skype™ to yjchua95
I can imagine an NSA techie slamming his head into a wall while saying "*******! They found the loophole I inserted!"
__________________
2 13" late-2013 rMBPs (base+maxed), maxed late-2013 rMBP 15", maxed early-2011 15", 2010 17", 2 maxed Haswell iMacs (21.5" and 27"), maxed 2012 mini, 2 12-core nMPs, maxed 2013 13" MBA
yjchua95 is offline   21 Reply With Quote
Old Feb 23, 2014, 09:26 PM   #5
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
So did the software release on Friday fix everything or just Safari?
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   0 Reply With Quote
Old Feb 23, 2014, 09:26 PM   #6
mathcolo
macrumors 6502a
 
mathcolo's Avatar
 
Join Date: Sep 2008
Location: Colorado
Quote:
Originally Posted by Sky Blue View Post
i hope this is a separate security release, and not only available in 10.9.2.
And it better come tomorrow
__________________
13" MacBook Pro Retina - 2.6 GHz i5 - 512GB SSD - 8GB RAM
- Google Nexus 5
[Retired]13" MacBook Pro - 2.53 GHz C2D - 240GB SSD - 8GB RAM
[Retired]- Samsung Galaxy Nexus LTE
mathcolo is offline   12 Reply With Quote
Old Feb 23, 2014, 09:27 PM   #7
MacMan988
macrumors 6502a
 
Join Date: Jul 2012
No security.

Great work, Apple!
MacMan988 is offline   12 Reply With Quote
Old Feb 23, 2014, 09:29 PM   #8
gotluck
macrumors 68030
 
gotluck's Avatar
 
Join Date: Dec 2011
Location: East Central Florida
Quote:
Originally Posted by Rogifan View Post
So did the software release on Friday fix everything or just Safari?
I believe 7.0.6 fixed all issues for ios related to the ssl bug
__________________
iPad Air LTE 7.1.2 JB (T-Mobile) - GS 4 Google Edition 4.4.4 ART (AT&T) - Windows 7 PC's - iPhone 4 6.1 JB
"Give me liberty (root access), or give me death!" - Patrick Henry
gotluck is offline   2 Reply With Quote
Old Feb 23, 2014, 09:31 PM   #9
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
If Apple (and all companies) don't work with independent, third party security firms, this is one reason why they should. Increasingly we are putting our most private information in the cloud and transmitting it daily. Apple needs to step up and have their systems/software tested/hacked by firms which they hire so these issues can be found out before mass release. Some of the stuff that has gotten by Apple in the past was pretty crazy how it wasn't caught. Some stuff has little impact in day to day use. This one is big however.
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   2 Reply With Quote
Old Feb 23, 2014, 09:33 PM   #10
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
Quote:
Originally Posted by gotluck View Post
I believe 7.0.6 fixed all issues for ios related to the ssl bug
Thanks. Mods, perhaps the article should be updated to make that clear.
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   0 Reply With Quote
Old Feb 23, 2014, 09:35 PM   #11
telecomm
macrumors 65816
 
telecomm's Avatar
 
Join Date: Nov 2003
Location: Rome
"GoToFail"
telecomm is offline   1 Reply With Quote
Old Feb 23, 2014, 09:37 PM   #12
C DM
macrumors G3
 
Join Date: Oct 2011
Quote:
Originally Posted by gotluck View Post
I believe 7.0.6 fixed all issues for ios related to the ssl bug
Hopefully along with OS X they'll release an update for iOS 7.1 beta and I guess OS X 10.9.2 beta as well to get them in line with this rather bad and important security fix.
C DM is offline   0 Reply With Quote
Old Feb 23, 2014, 09:39 PM   #13
SantaFeNM
macrumors newbie
 
Join Date: Oct 2012
Location: Santa Fe, NM
Very soon.....

My definition of "very soon," and Apple's definition of "very soon," are very different.
__________________
2012 13" MacBook Air (i7, 8g RAM, 256GB), 64GB iPod Touch 5th gen, iPod Shuffle current gen, Apple TV 2nd Gen
SantaFeNM is offline   11 Reply With Quote
Old Feb 23, 2014, 09:41 PM   #14
C DM
macrumors G3
 
Join Date: Oct 2011
Quote:
Originally Posted by SantaFeNM View Post
My definition of "very soon," and Apple's definition of "very soon," are very different.
What would be your definition of very soon given that the news of this came out mid-day Friday or so?
C DM is offline   2 Reply With Quote
Old Feb 23, 2014, 09:41 PM   #15
AstronomyiPhone
macrumors regular
 
Join Date: Jun 2013
Location: Maryland
GoToFail.com actually exists.
Nice.
...
Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...
AstronomyiPhone is offline   3 Reply With Quote
Old Feb 23, 2014, 09:44 PM   #16
sparkles3020
macrumors newbie
 
Join Date: Jul 2013
I wonder if *very soon* has been worked on over the weekend?
sparkles3020 is offline   3 Reply With Quote
Old Feb 23, 2014, 09:44 PM   #17
starbird
macrumors 6502
 
Join Date: Mar 2010
Quote:
Originally Posted by Rogifan View Post
Thanks. Mods, perhaps the article should be updated to make that clear.
I think the issue was these apps all use the same SSL certs and now that is all fixed.

A serious question. Is the true threat as serious as some are making it? Wouldn't the "evil-doer" need to be on the same wifi network?
starbird is offline   0 Reply With Quote
Old Feb 23, 2014, 09:45 PM   #18
gotluck
macrumors 68030
 
gotluck's Avatar
 
Join Date: Dec 2011
Location: East Central Florida
Quote:
Originally Posted by C DM View Post
Hopefully along with OS X they'll release an update for iOS 7.1 beta and I guess OS X 10.9.2 beta as well to get them in line with this rather bad and important security fix.
There's a fix on cydia for jailbreakers on ios 6-7.1b3
__________________
iPad Air LTE 7.1.2 JB (T-Mobile) - GS 4 Google Edition 4.4.4 ART (AT&T) - Windows 7 PC's - iPhone 4 6.1 JB
"Give me liberty (root access), or give me death!" - Patrick Henry
gotluck is offline   0 Reply With Quote
Old Feb 23, 2014, 09:51 PM   #19
AstronomyiPhone
macrumors regular
 
Join Date: Jun 2013
Location: Maryland
Quote:
Originally Posted by starbird View Post
I think the issue was these apps all use the same SSL certs and now that is all fixed.

A serious question. Is the true threat as serious as some are making it? Wouldn't the "evil-doer" need to be on the same wifi network?
Yes, but I think this article does a good job of explaining why that's such an issue...
AstronomyiPhone is offline   2 Reply With Quote
Old Feb 23, 2014, 09:52 PM   #20
SantaFeNM
macrumors newbie
 
Join Date: Oct 2012
Location: Santa Fe, NM
Quote:
Originally Posted by C DM View Post
What would be your definition of very soon given that the news of this came out mid-day Friday or so?
In line with the release of the iOS update. That would be "very soon".

Apple has done a poor job of getting the word out about this vulnerability and what their customers should have been, and should be doing while waiting for the patch.

I've notified a dozen or so people I know that use iOS devices or Macs, and none of them knew about the bug, let alone that they should be avoiding public wifi. Apple could have communicated with their customers much better on this.
__________________
2012 13" MacBook Air (i7, 8g RAM, 256GB), 64GB iPod Touch 5th gen, iPod Shuffle current gen, Apple TV 2nd Gen
SantaFeNM is offline   3 Reply With Quote
Old Feb 23, 2014, 09:55 PM   #21
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
Quote:
Originally Posted by AstronomyiPhone View Post
GoToFail.com actually exists.
Nice.
...
Aside from that, why does there need to be 'new research' to confirm that other applications are affected? The bug is a part of OS X's SSL verification system, so of course it is going to affect other applications that use Apple's web services...Forbes ad revenue...
More page views for MR.
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   1 Reply With Quote
Old Feb 23, 2014, 10:15 PM   #22
charlituna
macrumors 604
 
charlituna's Avatar
 
Join Date: Jun 2008
Location: Los Angeles, CA
Quote:
Originally Posted by sparkles3020 View Post
I wonder if *very soon* has been worked on over the weekend?
We may have an answer to that tomorrow.

What I find interesting is that the first mentions of this huge failure come AFTER Apple released the fix. Where are the tales of the actual attacks, where are the tales going on for weeks and months about how some security expert find this bug without being told to go look at the SSL coding and Apple did nothing for ages
charlituna is offline   3 Reply With Quote
Old Feb 23, 2014, 10:21 PM   #23
Tech198
macrumors 68040
 
Join Date: Mar 2011
Location: Australia, Perth
What a surprise...

Only a day later AFTER iOS update with the SAME problem...

Most apple people will tell me "It's just a coincidence.." that they waited this long in the first place...

Obviously, Apple doesn't care about security..

They think they do, otherwise this SSL issue would have been right at the top of the list.... against all other "features" that SHOULD come after security, not before or in-between.

I would have fixed this the moment i heard about it...

What else can go wrong ?

With Apple, anything goes .. Next up: Macs are not as secure as Apple thought.
__________________
13" MBPR, i5, 256Gig SDD, 8 Gig Ram, Apple TV, iPhone 5S 16Gig, iPad 16Gig, Mac Mini 2.3Ghz i7, 1TB HD
"There are no stupid questions, just stupid people."
Tech198 is offline   0 Reply With Quote
Old Feb 23, 2014, 10:21 PM   #24
C DM
macrumors G3
 
Join Date: Oct 2011
Quote:
Originally Posted by gotluck View Post
There's a fix on cydia for jailbreakers on ios 6-7.1b3
That's certainly good. Doesn't help much for those who are running the latest iOS 7.1 beta (even not on their main devices) or running iOS 6 on iPhone 4 or 4S or 5 and don't want to go to iOS 7 or jailbreak.
C DM is offline   1 Reply With Quote
Old Feb 23, 2014, 10:23 PM   #25
ArtOfWarfare
macrumors 603
 
ArtOfWarfare's Avatar
 
Join Date: Nov 2007
Send a message via Skype™ to ArtOfWarfare
Quote:
Originally Posted by MacRumors View Post
termed "GoToFail" by security specialists due to the improperly used "goto" command that triggers it
I'm a little interested how they know that it's goto and not some thing else… does goto actually have a one-to-one mapping with something in x86? (I guess it would be jump? But there's plenty of other things that would use jump too, I would think? Function calls would have jump-and-link, while and for would have some kind of conditional jumps… is goto really the only thing that translates directly to jump? I'm surprised Apple doesn't have a static analyzer that automatically rejects code using a goto…)
__________________
Battery Status - On the Mac App Store
The only app that'll estimate when your wireless devices will need their batteries changed.
Including the ones paired with other Macs on your network.
ArtOfWarfare is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated] MacRumors MacRumors.com News Discussion 136 May 23, 2014 08:10 PM
Apple Releases OS X 10.9.2 With Fix for Major SSL Vulnerability, FaceTime Audio MacRumors MacRumors.com News Discussion 471 Mar 18, 2014 07:06 PM
Apple Releases iOS 7.0.6 With Fix for SSL Connection Verification MacRumors MacRumors.com News Discussion 276 Mar 7, 2014 12:24 PM
Apple Planning Fix for iOS 7 Home Screen Crashes MacRumors MacRumors.com News Discussion 154 Jan 28, 2014 12:06 PM
Apple Releases OS X 10.8.4 with Safari 6.0.5, iMessage Bug Fix MacRumors MacRumors.com News Discussion 278 Jun 25, 2013 03:07 PM

Forum Jump

All times are GMT -5. The time now is 01:37 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC